Roku Developer Program

Developers and content creators—a complete solution for growing an audience directly.
cancel
Showing results for 
Search instead for 
Did you mean: 
bmbudai
Level 7

URL signing for AWS S3 and CloudFront hosted content

I'm working on a Roku channel, and we want to have files hosted in an AWS S3 bucket, with CloudFront to distribute the content. Before considering security, it worked fine. However, now that I'm trying to be mindful of security issues, I'm experiencing problems. I have the S3 bucket as a private bucket (no public access to anything in it) and I created an origin access identity for the CloudFront distribution so that it can access the content in the bucket. The problem is, I am unable to create expiring signed URLs (or cookies either) within the channel brightscript code to get access to the content. I can create a signed URL using Amazon's perl script via the command line, and if I copy/paste the signature portion of the link it gives me into the signature portion of the URL I create in brightscript, (replacing the signature) it works. Of course, that's because everything else about the URLs is identical, so once I replace the signature I just have the other URL. So I know (at least I think I can safely say) that the problem is with the signature. I follow the steps indicated in AWS' documentation, but it always returns with an "Access Denied" error message. The only part of the signing process that I have left out is the base 64 encoding. I have tried base 64 encoding the signature the brightscript creates using this site and updating the URL and trying it, but still no luck. I'm feeling like it has something to do with how brightscript hashes or signs things. I saw in a Stack Overflow post that openssl (which is what the perl script uses to hash/sign) also encodes into ASN.1 before signing... I've tried tinkering with that as well to see if I could get it to work including that step, but no luck there either. Maybe I'm not doing it right, or maybe that's not the problem. I know some people use S3 and CloudFront to host content for Roku channels, so I don't know why it shouldn't work. Hopefully someone out there can shed some light... If someone knows a solution I would be thrilled to hear it!

Here is a link to my question on Stack Overflow, which has some code snippets as well:
https://stackoverflow.com/questions/56694746/brightscript-generated-signed-urls-for-cloudfront-yield...
0 Kudos
9 Replies
speechles
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

 sigString = signature.ToAsciiString()
 print "sigString: ";sigString
 signatureString = sigString.ToBase64String()

You have ToBase64String() the sigString not the signature. Now does it work?
0 Kudos
bmbudai
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

No, it goes into the brightscript debugger and says "Member function not found in BrightScript Component or interface." That's because sigString is an ascii string but ToBase64String() is only available on roByteArray.  I think I may have a lead though. I realized that when I use the perl script to create a signed URL (which works) it uses a policy of this String: "{"Statement":[{"Resource":"http://d1uuhuldzrqhow.cloudfront.net/icon_focus_sd.png","Condition":{"DateLessThan":{"AWS:EpochTime":1561230905}}}]}".  However, in BrightScript it uses this string: "{"Statement":[{"Condition":{"DateLessThan":{"AWS:EpochTime":1561230905}},"Resource":"http://d1uuhuldzrqhow.cloudfront.net/icon_focus_sd.png"}]}".  Notice how "Condition" comes before "Resource" in the non-working policy string. I tried the second policy string in the perl script and got access denied, which gives me hope that if I can get the correct policy string in the BrightScript, I might be able to get it to work. The problem is I don't know how to escape quotation marks in a string in BrightScript, so I have it json encoding the policy from an roAssociativeArray, and I guess that puts it into alphabetical order - breaking it. I'm not %100 sure that it will work after I figure that out though because I've tried hard-coding the hash value in from the hashed version of the correct policy, and still no luck. But hey, it's getting closer!
0 Kudos
bmbudai
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

Ok. So thanks to this thread I was able to get the correct policy string in. BrightScript now comes up with the correct sha1 hash value for my policy string. I still get access denied. Must be something to do with the rsa signing or else with the encoding. Just gotta do more troubleshooting.
0 Kudos
speechles
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

"bmbudai" wrote:
The problem is I don't know how to escape quotation marks in a string in BrightScript, so I have it json encoding the policy from an roAssociativeArray, and I guess that puts it into alphabetical order - breaking it.

You can use:
escaped_text = text.replace( chr(34), "\"+chr(34) )

or...
escaped_text = text.replace( chr(34), chr(27)+chr(34) )

depending on how you use the text depends on which method will work.
0 Kudos
bmbudai
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

Hmmm... I may do that later on to make it more clean/readable. I was able to get the quotation marks into the string by just concatenating Chr(34) everywhere I needed them. Super long and hideous but it does the job for now.
0 Kudos
bmbudai
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

SOLVED!!! I posted an answer on the Stack Overflow Page with the details. Hopefully this helps some out.

Thanks!
0 Kudos
cocotower
Level 9

Re: URL signing for AWS S3 and CloudFront hosted content

Why do you need CloudFront?  S3 works fine for me with thousands of subscribers from all over the world.
0 Kudos
bmbudai
Level 7

Re: URL signing for AWS S3 and CloudFront hosted content

I was under the impression that it would perform better with CloudFront. Do you have S3 requiring signed URLs?
0 Kudos
cocotower
Level 9

Re: URL signing for AWS S3 and CloudFront hosted content

At this time it's public read access to bucket names nobody knows about, so it's sort of private, but I'm trying to figure out how to pass keys in the HTTP requests which should work on a private bucket.
0 Kudos