Your Digital Media Has Never Looked So Good

 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

URL signing for AWS S3 and CloudFront hosted content

Thu Jun 20, 2019 1:46 pm

I'm working on a Roku channel, and we want to have files hosted in an AWS S3 bucket, with CloudFront to distribute the content. Before considering security, it worked fine. However, now that I'm trying to be mindful of security issues, I'm experiencing problems. I have the S3 bucket as a private bucket (no public access to anything in it) and I created an origin access identity for the CloudFront distribution so that it can access the content in the bucket. The problem is, I am unable to create expiring signed URLs (or cookies either) within the channel brightscript code to get access to the content. I can create a signed URL using Amazon's perl script via the command line, and if I copy/paste the signature portion of the link it gives me into the signature portion of the URL I create in brightscript, (replacing the signature) it works. Of course, that's because everything else about the URLs is identical, so once I replace the signature I just have the other URL. So I know (at least I think I can safely say) that the problem is with the signature. I follow the steps indicated in AWS' documentation, but it always returns with an "Access Denied" error message. The only part of the signing process that I have left out is the base 64 encoding. I have tried base 64 encoding the signature the brightscript creates using this site and updating the URL and trying it, but still no luck. I'm feeling like it has something to do with how brightscript hashes or signs things. I saw in a Stack Overflow post that openssl (which is what the perl script uses to hash/sign) also encodes into ASN.1 before signing... I've tried tinkering with that as well to see if I could get it to work including that step, but no luck there either. Maybe I'm not doing it right, or maybe that's not the problem. I know some people use S3 and CloudFront to host content for Roku channels, so I don't know why it shouldn't work. Hopefully someone out there can shed some light... If someone knows a solution I would be thrilled to hear it!

Here is a link to my question on Stack Overflow, which has some code snippets as well:
https://stackoverflow.com/questions/56694746/brightscript-generated-signed-urls-for-cloudfront-yield-access-denied
 
User avatar
speechles
Posts: 168
Joined: Thu Aug 06, 2015 11:15 pm

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 10:30 am

 sigString = signature.ToAsciiString()
 print "sigString: ";sigString
 signatureString = sigString.ToBase64String()

You have ToBase64String() the sigString not the signature. Now does it work?
 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 10:46 am

No, it goes into the brightscript debugger and says "Member function not found in BrightScript Component or interface." That's because sigString is an ascii string but ToBase64String() is only available on roByteArray.  I think I may have a lead though. I realized that when I use the perl script to create a signed URL (which works) it uses a policy of this String: "{"Statement":[{"Resource":"http://d1uuhuldzrqhow.cloudfront.net/icon_focus_sd.png","Condition":{"DateLessThan":{"AWS:EpochTime":1561230905}}}]}".  However, in BrightScript it uses this string: "{"Statement":[{"Condition":{"DateLessThan":{"AWS:EpochTime":1561230905}},"Resource":"http://d1uuhuldzrqhow.cloudfront.net/icon_focus_sd.png"}]}".  Notice how "Condition" comes before "Resource" in the non-working policy string. I tried the second policy string in the perl script and got access denied, which gives me hope that if I can get the correct policy string in the BrightScript, I might be able to get it to work. The problem is I don't know how to escape quotation marks in a string in BrightScript, so I have it json encoding the policy from an roAssociativeArray, and I guess that puts it into alphabetical order - breaking it. I'm not %100 sure that it will work after I figure that out though because I've tried hard-coding the hash value in from the hashed version of the correct policy, and still no luck. But hey, it's getting closer!
 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 11:11 am

Ok. So thanks to this thread I was able to get the correct policy string in. BrightScript now comes up with the correct sha1 hash value for my policy string. I still get access denied. Must be something to do with the rsa signing or else with the encoding. Just gotta do more troubleshooting.
 
User avatar
speechles
Posts: 168
Joined: Thu Aug 06, 2015 11:15 pm

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 11:24 am

bmbudai wrote:
The problem is I don't know how to escape quotation marks in a string in BrightScript, so I have it json encoding the policy from an roAssociativeArray, and I guess that puts it into alphabetical order - breaking it.

You can use:
escaped_text = text.replace( chr(34), "\"+chr(34) )

or...
escaped_text = text.replace( chr(34), chr(27)+chr(34) )

depending on how you use the text depends on which method will work.
 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 11:27 am

Hmmm... I may do that later on to make it more clean/readable. I was able to get the quotation marks into the string by just concatenating Chr(34) everywhere I needed them. Super long and hideous but it does the job for now.
 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

Re: URL signing for AWS S3 and CloudFront hosted content

Fri Jun 21, 2019 1:44 pm

SOLVED!!! I posted an answer on the Stack Overflow Page with the details. Hopefully this helps some out.

Thanks!
 
cocotower
Posts: 29
Joined: Fri Sep 22, 2017 8:26 pm

Re: URL signing for AWS S3 and CloudFront hosted content

Sat Jun 22, 2019 4:53 pm

Why do you need CloudFront?  S3 works fine for me with thousands of subscribers from all over the world.
 
bmbudai
Topic Author
Posts: 8
Joined: Thu Jun 20, 2019 9:54 am

Re: URL signing for AWS S3 and CloudFront hosted content

Mon Jun 24, 2019 10:43 am

I was under the impression that it would perform better with CloudFront. Do you have S3 requiring signed URLs?
 
cocotower
Posts: 29
Joined: Fri Sep 22, 2017 8:26 pm

Re: URL signing for AWS S3 and CloudFront hosted content

Mon Sep 02, 2019 5:43 pm

At this time it's public read access to bucket names nobody knows about, so it's sort of private, but I'm trying to figure out how to pass keys in the HTTP requests which should work on a private bucket.

Who is online

Users browsing this forum: No registered users and 8 guests