使用 php 的 Azure 共享访问签名错误

Question

I'm using SAS to trying to download a blob from a Private Azure Storage container, using php.我正在使用 SAS 尝试使用 php 从私有 Azure 存储容器下载 blob。 But ALWAYS it throws me the same mistake.但它总是让我犯同样的错误。

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. ...
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used ... /blob/name/container/archive.jpg
</AuthenticationErrorDetail>
</Error>

This is my code:这是我的代码：

static private function getSASForBlob($accountName,$containerName, $fileName, $resourceType, $permissions, $expiry) {
     /* Create the signature */         

        $_arraysign = array();
        $_arraysign[] = $permissions;
        $_arraysign[] = '';
        $_arraysign[] = $expiry;
        $_arraysign[] = $accountName . '/' . $containerName . '/' . $fileName;
        $_arraysign[] = '';
        $_arraysign[] = "2015-04-05"; //the API version is now required
        $_arraysign[] = '';
        $_arraysign[] = '';
        $_arraysign[] = '';
        $_arraysign[] = '';
        $_arraysign[] = '';

        $_str2sign = implode("\n", $_arraysign);

        return base64_encode(
        hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($key), true)
    );
    }
    static public function getBlobDownloadUrl($container,$blob,$accountName,$key){
 /* Create the signed query part */         
        $resourceType='b';
        $permissions='r';
        /*$expTime_utc = new DateTime(null, new DateTimeZone("UTC"));
        $expTime_utc->add(new DateInterval('PT1H'));
        $expiry=$expTime_utc->format('Y-m-d\TH:i:s\Z');*/
        $expiry = date('Y-m-d\TH:i:s\Z', strtotime('+1 day'));
        $_signature=AzureServices::getSASForBlob($accountName,$key,$container, $blob, $resourceType, $permissions, $expiry);
        $_parts = array();
        $_parts[] = (!empty($expiry))?'se=' . urlencode($expiry):'';
        $_parts[] = 'sr=' . $resourceType;
        $_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
        $_parts[] = 'sig=' . urlencode($_signature);
        $_parts[] = "sv=2015-04-05";

        /* Create the signed blob URL */
        $_url = 'https://'
        .$accountName.'.blob.core.windows.net/'
        . $container . '/'
        . $blob . '?'
        . implode('&', $_parts);

        return $_url;
    }

I have tried changing the date to DateTime following the same structure, adding and deleting an "/" to the line "$_arraysign[] = $accountName . '/' . $containerName . '/' . $fileName" ... But nothing happened, the same error message is showed... Please help me.我尝试按照相同的结构将日期更改为 DateTime，在“$_arraysign[] = $accountName . '/' . $containerName . '/' . $fileName” 行中添加和删除“/”...但是什么也没发生，显示相同的错误消息...请帮助我。 Thanks谢谢

Answer 1

As you are using the signedversion in 2015-04-05 , so beside @Gaurav Mantri's answer, there is one more point you need to be attention to, is that, according the description under section Constructing the Signature String in https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx :由于您使用的是2015-04-05的signedversion ，因此除了@Gaurav Mantri 的回答之外，您还需要注意一点，即，根据https://msdn 中构建签名字符串部分下的描述.microsoft.com/en-us/library/azure/dn140255.aspx ：

Version 2015-04-05 adds support for the signed IP and signed protocol fields.版本 2015-04-05 添加了对签名 IP 和签名协议字段的支持。 These must be included in the string-to-sign.这些必须包含在要签名的字符串中。 To construct the string-to-sign for Blob or File service resources, use the following format:要为 Blob 或文件服务资源构造要签名的字符串，请使用以下格式：

StringToSign = signedpermissions + "\n" +
           signedstart + "\n" +
           signedexpiry + "\n" +
           canonicalizedresource + "\n" +
           signedidentifier + "\n" +
           signedIP + "\n" +
           signedProtocol + "\n" +
           signedversion + "\n" +
           rscc + "\n" +
           rscd + "\n" +
           rsce + "\n" +
           rscl + "\n" +
           rsct

So we need to modify the $_arraysign in function getSASForBlob to something like：所以我们需要将函数getSASForBlob的$_arraysign修改为：

$_arraysign = array();
$_arraysign[] = $permissions;
$_arraysign[] = '';
$_arraysign[] = $expiry;
$_arraysign[] = '/blob/' . $accountName . '/' . $container . '/' . $blob;
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = "2015-04-05"; //the API version is now required
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = '';

Any further concern, please feel free to let me know.任何进一步的问题，请随时告诉我。

Answer 2

Please prepend /blob/ in this line of code:请在这行代码中添加/blob/ ：

$_arraysign[] = $accountName . '/' . $containerName . '/' . $fileName;

So, it should be:所以，应该是：

$_arraysign[] = '/blob/' . $_arraysign[] = '/blob/' 。 $accountName . $账户名。 '/' . '/' 。 $containerName . $容器名称。 '/' . '/' 。 $fileName; $文件名;

From this page: https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx从此页面： https : //msdn.microsoft.com/en-us/library/azure/dn140255.aspx

The canonicalizedresouce portion of the string is a canonical path to the signed resource.字符串的规范化资源部分是签名资源的规范路径。 It must include the service name (blob, table, queue or file) for version 2015-02-21 or later, the storage account name, and the resource name, and must be URL-decoded .它必须包含 2015-02-21 或更高版本的服务名称（blob、表、队列或文件）、存储帐户名称和资源名称，并且必须是 URL 解码的。 Names of blobs must include the blob's container. blob 的名称必须包含 blob 的容器。 Table names must be lower-case.表名必须小写。 The following examples show how to construct the canonicalizedresource portion of the string, depending on the type of resource.以下示例显示如何根据资源类型构造字符串的规范化资源部分。

使用 php 的 Azure 共享访问签名错误

问题描述

2 个解决方案

解决方案1
1 已采纳 2016-06-01 01:57:15

解决方案2
0 2016-06-01 01:18:48

使用 php 的 Azure 共享访问签名错误

问题描述

2 个解决方案

解决方案1 1 已采纳 2016-06-01 01:57:15

解决方案2 0 2016-06-01 01:18:48

解决方案1
1 已采纳 2016-06-01 01:57:15

解决方案2
0 2016-06-01 01:18:48