SAS Azure签名不匹配 [英] SAS Azure Signature did not match

问题描述

我尝试在azure存储中的blob上创建SAS. 我编写以下代码:

I try to create a SAS to a blob on azure storage in php. I write the following code:

$key ="...";

$end = date('Y-m-d\TH\:i\:s\Z', strtotime('+1 day'));

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required 
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */
 $_parts = array();
 $_parts[] = 'sv=2015-12-11';

 $_parts[] = 'ss=b';
 $_parts[] = 'srt=' . $resourceType;
 $_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
 $_parts[] = (!empty($expiry))?'se=' .$expiry:'';
 $_parts[] = 'spr=https';
 $_parts[] = 'sig=' . urlencode($_signature);


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }


$sig = getSASForBlob("cloudviewer","450-423-422-392", "thumbnail.jpeg", "r",     $end, $key);
$url = getBlobUrl("cloudviewer","450-423-422-392","thumbnail.jpeg","o","r", $end, $sig);

echo(json_encode(array('url' => $url, 'sig' => $sig, 'expiry' => $end)));

我收到的网址结果是:

the url result that I received is: https://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:08:25Z&spr=https&sig=BU6lfFljKLsmK8zPdHny5qRU9XStpE97Pud5vj4biEY%3D

:签名不匹配.用于签名的字符串是cloudviewer r b o 2016-12-09T17:08:25Z https 2015-12-11

with an authentification error :Signature did not match. String to sign used was cloudviewer r b o 2016-12-09T17:08:25Z https 2015-12-11

我直接从Azure创建SAS，并且拥有网址

I create a SAS directly from Azure and I had the url https://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:28:32Z&st=2016-12-08T15:28:32Z&spr=https&sig=EgnmcRSSKol%2BqR2A4aBdFhL9dmkhGJVHOw9W%2BC8%2FTKI%3D which works and be similar to the first one.

我已经尝试了

$_arraysign[] = '/blob/'.$accountName . '/' . $container . '/' . $blob;
$_arraysign[] = $accountName . '/' . $container . '/' . $blob;

你有什么主意吗?

谢谢

推荐答案

似乎您正在尝试生成帐户SAS令牌，如

It seems that you are trying to generate an account SAS token, as the second example described at https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#examples-of-sas-uris. Per my understanding, you can only generate a common blob SAS token as the first example mentioned at above article.

同时，根据

Meanwhile, according to the description of Constructing the Signature String, you missed several parts when generating the signature.

因此，请尝试以下代码段:

So, please try the following code snippet:

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/blob' .'/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required 
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */

 $_parts = array();
    $_parts[] = (!empty($expiry)) ? 'se=' . urlencode($expiry) : '';
    $_parts[] = 'sr=' . $resourceType;
    $_parts[] = (!empty($permissions)) ? 'sp=' . $permissions : '';
    $_parts[] = 'sig=' . urlencode($_signature);
    $_parts[] = 'sv=2015-12-11';
    $_parts[] = 'rscd=';


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }

$sig = getSASForBlob(AZURE_ACC_NAME,AZURE_CONTAINER, BLOB, "r", $endDate, AZURE_PRIMARY_KEY);
$url = getBlobUrl(AZURE_ACC_NAME,AZURE_CONTAINER,BLOB,"b","r", $endDate, $sig);

这篇关于SAS Azure签名不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！