SAS Azure Signature did not match

问题

I try to create a SAS to a blob on azure storage in php. I write the following code:

$key ="...";

$end = date('Y-m-d\TH\:i\:s\Z', strtotime('+1 day'));

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required 
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */
 $_parts = array();
 $_parts[] = 'sv=2015-12-11';

 $_parts[] = 'ss=b';
 $_parts[] = 'srt=' . $resourceType;
 $_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
 $_parts[] = (!empty($expiry))?'se=' .$expiry:'';
 $_parts[] = 'spr=https';
 $_parts[] = 'sig=' . urlencode($_signature);


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }


$sig = getSASForBlob("cloudviewer","450-423-422-392", "thumbnail.jpeg", "r",     $end, $key);
$url = getBlobUrl("cloudviewer","450-423-422-392","thumbnail.jpeg","o","r", $end, $sig);

echo(json_encode(array('url' => $url, 'sig' => $sig, 'expiry' => $end)));

the url result that I received is: https://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:08:25Z&spr=https&sig=BU6lfFljKLsmK8zPdHny5qRU9XStpE97Pud5vj4biEY%3D

with an authentification error :Signature did not match. String to sign used was cloudviewer r b o 2016-12-09T17:08:25Z https 2015-12-11

I create a SAS directly from Azure and I had the url https://cloudviewer.blob.core.windows.net/450-423-422-392/thumbnail.jpeg?sv=2015-12-11&ss=b&srt=o&sp=r&se=2016-12-09T17:28:32Z&st=2016-12-08T15:28:32Z&spr=https&sig=EgnmcRSSKol%2BqR2A4aBdFhL9dmkhGJVHOw9W%2BC8%2FTKI%3D which works and be similar to the first one.

I already try

$_arraysign[] = '/blob/'.$accountName . '/' . $container . '/' . $blob;
$_arraysign[] = $accountName . '/' . $container . '/' . $blob;

Do you have any idea ?

thanks

回答1:

It seems that you are trying to generate an account SAS token, as the second example described at https://docs.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#examples-of-sas-uris. Per my understanding, you can only generate a common blob SAS token as the first example mentioned at above article.

Meanwhile, according to the description of Constructing the Signature String, you missed several parts when generating the signature.

So, please try the following code snippet:

function getSASForBlob($accountName, $container, $blob, $permissions ,$expiry, $key){
 /* Create the signature */
 $_arraysign = array();
 $_arraysign[] = $permissions;
 $_arraysign[] = '';
 $_arraysign[] = $expiry;
 $_arraysign[] = '/blob' .'/'.$accountName . '/' . $container . '/' . $blob;
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = "2015-12-11"; //the API version is now required 
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';
 $_arraysign[] = '';

 $_str2sign = implode("\n", $_arraysign);

 return base64_encode(hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true));
}

function getBlobUrl($accountName, $container, $blob, $resourceType, $permissions, $expiry, $_signature){
 /* Create the signed query part */

 $_parts = array();
    $_parts[] = (!empty($expiry)) ? 'se=' . urlencode($expiry) : '';
    $_parts[] = 'sr=' . $resourceType;
    $_parts[] = (!empty($permissions)) ? 'sp=' . $permissions : '';
    $_parts[] = 'sig=' . urlencode($_signature);
    $_parts[] = 'sv=2015-12-11';
    $_parts[] = 'rscd=';


 /* Create the signed blob URL */
 $_url = 'https://'
 .$accountName.'.blob.core.windows.net/'
 . $container . '/'
 . $blob . '?'
 . implode('&', $_parts);

 return $_url;
 }

$sig = getSASForBlob(AZURE_ACC_NAME,AZURE_CONTAINER, BLOB, "r", $endDate, AZURE_PRIMARY_KEY);
$url = getBlobUrl(AZURE_ACC_NAME,AZURE_CONTAINER,BLOB,"b","r", $endDate, $sig);

来源：https://stackoverflow.com/questions/41044373/sas-azure-signature-did-not-match