问题描述

我尝试在azure存储中的blob上创建SAS.我编写以下代码:

I try to create a SAS to a blob on azure storage in php.I write the following code:

$key ="...";

$end = date('Y-m-d\TH\:i\:s\Z', strtotime('+1 day'));

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */
 $_parts = array();
 $_parts[] = 'sv=2015-12-11';

 $_parts[] = 'ss=b';
 $_parts[] = 'srt=' . $resourceType;
 $_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
 $_parts[] = (!empty($expiry))?'se=' .$expiry:'';
 $_parts[] = 'spr=https';
 $_parts[] = 'sig=' . urlencode($_signature);


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }


$sig = getSASForBlob("cloudviewer","450-423-422-392", "thumbnail.jpeg", "r",     $end, $key);
$url = getBlobUrl("cloudviewer","450-423-422-392","thumbnail.jpeg","o","r", $end, $sig);

echo(json_encode(array('url' => $url, 'sig' => $sig, 'expiry' => $end)));

我收到的网址结果是: https://https://amps.google.com/sig= .windows.net/450-423-422-392/thumbnail.jpeg?sv = 2015-12-11& ss = b& srt = o& sp = r& se = 2016-12-09T17:08:25Z& spr = https& sig = BU6lfFljKLsmK8zPdHny5qRU9XStpE97Pud5vj4biEY％3D

the url result that I received is: https://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:08:25Z&spr=https&sig=BU6lfFljKLsmK8zPdHny5qRU9XStpE97Pud5vj4biEY%3D

:签名不匹配.用于签名的字符串是cloudviewer r b o 2016-12-09T17:08:25Z https 2015-12-11

with an authentification error :Signature did not match. String to sign used was cloudviewer r b o 2016-12-09T17:08:25Z https 2015-12-11

我直接从Azure创建SAS，并且拥有网址//cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12- 09T17:28:32Z& st = 2016-12-08T15:28:32Z& spr = https& sig = EgnmcRSSKol％2BqR2A4aBdFhL9dmkhGJVHOw9W％2BC8％2FTKI％3D 哪个有效，并且与第一个相似.

I create a SAS directly from Azure and I had the urlhttps://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:28:32Z&st=2016-12-08T15:28:32Z&spr=https&sig=EgnmcRSSKol%2BqR2A4aBdFhL9dmkhGJVHOw9W%2BC8%2FTKI%3Dwhich works and be similar to the first one.

我已经尝试了

$_arraysign[] = '/blob/'.$accountName . '/' . $container . '/' . $blob;
$_arraysign[] = $accountName . '/' . $container . '/' . $blob;

你有什么主意吗?

谢谢

推荐答案

似乎您正在尝试生成帐户SAS令牌，如 https://docs.microsoft.com/zh-我们/azure/storage/storage-dotnet-shared-access-signature-part-1#examples-ss-uris .根据我的理解，您只能生成一个通用的Blob SAS令牌，作为上述文章中提到的第一个示例.

It seems that you are trying to generate an account SAS token, as the second example described at https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#examples-of-sas-uris. Per my understanding, you can only generate a common blob SAS token as the first example mentioned at above article.

同时，根据构造签名字符串，您在生成签名时错过了几部分.

Meanwhile, according to the description of Constructing the Signature String, you missed several parts when generating the signature.

因此，请尝试以下代码段:

So, please try the following code snippet:

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/blob' .'/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */

 $_parts = array();
    $_parts[] = (!empty($expiry)) ? 'se=' . urlencode($expiry) : '';
    $_parts[] = 'sr=' . $resourceType;
    $_parts[] = (!empty($permissions)) ? 'sp=' . $permissions : '';
    $_parts[] = 'sig=' . urlencode($_signature);
    $_parts[] = 'sv=2015-12-11';
    $_parts[] = 'rscd=';


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }

$sig = getSASForBlob(AZURE_ACC_NAME,AZURE_CONTAINER, BLOB, "r", $endDate, AZURE_PRIMARY_KEY);
$url = getBlobUrl(AZURE_ACC_NAME,AZURE_CONTAINER,BLOB,"b","r", $endDate, $sig);

这篇关于SAS Azure签名不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！