Add support for ECDSA signed CloudFront URLs

[alextwoods]

Add support for ECDSA signed CloudFront URLs

Motivation and Context

Fixes: #6543

See also:

• https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-cloudfront-ecdsa-signed-urls/
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.html

Modifications

• Detect the given PrivateKey's algorithm and support RSA/EC.
• When given a path, attempt to load both RSA and EC keys from it.

Q: Why not make this more generic and support possible future algorithms?
A: The signing mechanism for Cloudfront signed urls requires both knowing the key type (RSA vs EC) and the hash function to use. We cannot derive the required hash function from the PrivateKey. If additional algorithms are supported in the future, its possible/likely that they will choose to use more modern/secure hashes like SHA256 - however, we don't have that knowledge now. The code in this PR attempts to make the code more generic to handle possible future algorithms more easily, but doesn't add support for anything that isn't supported in CloudFront today.

Testing

New and existing unit and integration tests. (Note: Integration tests confirm usage of SHA1withECDSA is supported service side).

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have read the CONTRIBUTING document
• Local run of mvn install succeeds
• My code follows the code style of this project
• I have added tests to cover my changes
• All new and existing tests passed
• I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your

License

• I confirm that this pull request can be released under the Apache 2 license

[zoewangg]

Should we add a debug statement mentioning falling back to EC?

[alextwoods]

Yeah, good question - I'm a little on the fence about this code in general here. Ideally we would use the EncodedKeySpec#getAlgorithm method, but its not available until Java 9 :-(. So I'd say conceptually this is a little different than a fall back.

What I did do is add an additional catch(InvalidKeySpecException) in the privateKeyFromPkcs8 method that calls this that makes it more clear that the given private key file wasn't one of the supported formats.

What do you think? I'm happy to add logging, but I think it might be a little confusing to see "falling back to EC" when thats what you intended by passing an EC private key?

[zoewangg]

Gotcha, makes sense. I see the new revision added improved error message, lgtm!

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots
31.5% Coverage on New Code (required ≥ 80%)
5.5% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE