@aws-sdk/cloudfront-signer Support ECDSA P-256 keys for signed URLs and cookies

[JTaylor-myenergi]

Describe the feature

CloudFront added support for ECDSA P-256 key pairs in key groups (alongside RSA-2048) in September 2025. However, @aws-sdk/cloudfront-signer hardcodes RSA-SHA1.

Use Case

ECDSA P-256 signatures produce significantly shorter signed URLs (~200 characters vs ~450 for RSA), which matters for IoT devices with constrained URL buffers. ECDSA signing is also ~12x faster, relevant for high-throughput URL generation. CloudFront's documentation already describes creating ECDSA key pairs and using them in key groups, but there's no SDK-level support in JS.

Proposed Solution

A minimal backwards-compatible fix in sign.ts:

import { createPrivateKey, createSign, KeyObject } from "node:crypto";

private signData(data: string, privateKey: string | Buffer, passphrase?: string): string {
  const keyObject = createPrivateKey({
    key: privateKey,
    ...(passphrase ? { passphrase } : {}),
  });

  const keyType = keyObject.asymmetricKeyType;
  if (keyType !== "rsa" && keyType !== "ec") {
    throw new Error(
      `Unsupported key type "${keyType}". CloudFront signed URLs require RSA or ECDSA P-256 keys.`
    );
  }

  // SHA1 is the hash used by CloudFront for both RSA and ECDSA verification.
  // Node.js selects the signing algorithm (RSA-SHA1 or ECDSA-SHA1) from the key type.
  const sign = createSign("SHA1");
  sign.update(data);
  return sign.sign(keyObject, "base64");
}

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

SDK version used

3.1009.0

Environment details (OS name and version, etc.)

Node.js 20, Linux/macOS

[kuhe]

SDK team: check for internal specification update before implementing this