1. 首頁
  2. 問答
  3. 簽名版本4 PHP簽名過程訪問API網關端點

簽名版本4 PHP簽名過程訪問API網關端點

2016-10-02 23 views
0

我想創建授權簽名訪問IAM安全API網關端點。簽名版本4 PHP簽名過程訪問API網關端點

$alg = "SHA256"; 
$CanonicalRequest = "GET\n/dev/pets\n\nhost:3r4fgts8e5.execute-api.ap-northeast-1.amazonaws.com\nx-amz-date:".$dd."\n\nhost;x-amz-date\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; 

$CR = str_replace("\n", "", $CanonicalRequest); 
      $CR = str_replace("\r", "", $CR); 
      $CR = strtolower($CR); 




$StringToSign = "AWS4-HMAC-SHA256\n".$dd."\n".$date->format('Ymd')."/ap-northeast-1/execute-api/aws4_request\n".hash($alg, $CR).""; 





// 1) HMACs 
$kSecret = 'AWS4' . $secret_key; 
$kDate = hash_hmac($alg, $date->format('Ymd'), $kSecret, true);  
$kRegion = hash_hmac($alg, $region, $kDate, true); 
$kService = hash_hmac($alg, $service, $kRegion, true); 
$kSigning = hash_hmac($alg, 'aws4_request', $kService, true);  
$signature = hash_hmac($alg, $StringToSign, $kSigning);  

$authorization = array(
    'Credential=' . $access_key . '/' . implode('/', $scope), 
    'SignedHeaders=' . implode(';', array_keys($can_headers)), 
    'Signature=' . $signature, 
); 
$authorization = $request['algorithm'] . ' ' . implode(',', $authorization); 
$request['Authorization'] = $authorization;

但我正在逐漸「我們出的要求籤名不匹配您提供的簽名」錯誤

「消息」:「我們出的要求籤章不符您所提供 簽名。請檢查您的AWS訪問密鑰和簽名 方法。有關詳情請諮詢服務文檔。\ n \ n此 此請求規範化字符串應該有 被\ n 'GET \ n的/ dev /寵物的\ n \ n主機:3r4fgts8e5.execute-api.ap-northeast-1.amazonaws.com \ NX-AMZ-日期:20161002T231640Z \ n \ n主機; X-AMZ-日期\ ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' \ ñ\ n此 字符串到註冊應具備 一直\ n'AWS4-HMAC-SHA256 \ n20161002T231640Z \ n20161002/AP-東北-1 /執行的API/aws4_request \ n0b8c12e0a5f21137c5739a9d26056dfb081218631a9adcf37db1d2e09a014c4e'\ n」個

我字符串到符號字符串是

"AWS4-HMAC-SHA256 
20161002T231640Z 
20161002/ap-northeast-1/execute-api/aws4_request 
fb4f7ebdcb405bceed598ecc097267b929eeb3f8f075b1b7a776f53c8c8c6168"

這與AWS預期的簽名完全不同。 「這是從什麼AWS預計在簽名完全不同的」

來源

2016-10-02 Pravesh Khatana

+0

*所以,你有你的答案 - 你的代碼是不是建設的正確規範的字符串,因此它可以不可能建立正確的字符串來簽名,也不能產生正確的簽名。您的下一步行動似乎很清晰 - 請查看文檔並更正您的代碼以生成正確的中間值。請注意錯誤消息中出現了兩次「** should be been」**字樣。 AWS無法確定您實際使用的值 - 簽名是不可逆的 - 他們只能計算您應該使用的*。 –

+0

做工精細現在:) –

+0

@pravesh:我也越來越相同的問題,你能分享工作的代碼只是增加 – sas

回答

0

下面是解

private function signRequest(){ 
     $method ='GET'; 
     $uri = '/dev'; 
     $json = file_get_contents('php://input'); 
     $obj = json_decode($json); 


     if(isset($obj->method)) 
     { 
      $m = explode("|", $obj->method); 
      $method = $m[0]; 
      $uri .= $m[1]; 
     } 


     $secretKey = $this->session->data['aws_secret']; 
     $access_key = $this->session->data['aws_key']; 
     $token = $this->session->data['aws_token']; 
     $region = 'ap-southeast-1'; 
     $service = 'execute-api'; 

     $options = array(); $headers = array(); 
     $host = "YOUR-API-HOST.execute-api.ap-southeast-1.amazonaws.com"; 
//Or you can define your host here.. I am using API gateway. 


     $alg = 'sha256'; 

     $date = new DateTime('UTC'); 

     $dd = $date->format('Ymd\THis\Z'); 

     $amzdate2 = new DateTime('UTC'); 
     $amzdate2 = $amzdate2->format('Ymd'); 
     $amzdate = $dd; 

     $algorithm = 'AWS4-HMAC-SHA256'; 


     $parameters = (array) $obj->data; 

      if($obj->data == null || empty($obj->data)) 
     { 
      $obj->data = ""; 
     }else{ 
      $param = json_encode($obj->data); 
      if($param == "{}") 
      { 
       $param = ""; 

      } 

     $requestPayload = strtolower($param); 
     $hashedPayload = hash($alg, $requestPayload); 

     $canonical_uri = $uri; 
     $canonical_querystring = ''; 

     $canonical_headers = "content-type:"."application/json"."\n"."host:".$host."\n"."x-amz-date:".$amzdate."\n"."x-amz-security-token:".$token."\n"; 
     $signed_headers = 'content-type;host;x-amz-date;x-amz-security-token'; 
     $canonical_request = "".$method."\n".$canonical_uri."\n".$canonical_querystring."\n".$canonical_headers."\n".$signed_headers."\n".$hashedPayload; 


     $credential_scope = $amzdate2 . '/' . $region . '/' . $service . '/' . 'aws4_request'; 
     $string_to_sign = "".$algorithm."\n".$amzdate ."\n".$credential_scope."\n".hash('sha256', $canonical_request).""; 
     //string_to_sign is the answer..hash('sha256', $canonical_request)// 

     $kSecret = 'AWS4' . $secretKey; 
     $kDate = hash_hmac($alg, $amzdate2, $kSecret, true); 
     $kRegion = hash_hmac($alg, $region, $kDate, true); 
     $kService = hash_hmac($alg, $service, $kRegion, true); 
     $kSigning = hash_hmac($alg, 'aws4_request', $kService, true);  
     $signature = hash_hmac($alg, $string_to_sign, $kSigning); 
     $authorization_header = $algorithm . ' ' . 'Credential=' . $access_key . '/' . $credential_scope . ', ' . 'SignedHeaders=' . $signed_headers . ', ' . 'Signature=' . $signature; 

     $headers = [ 
        'content-type'=>'application/json', 
        'x-amz-security-token'=>$token, 
        'x-amz-date'=>$amzdate, 
        'Authorization'=>$authorization_header]; 
     return $headers; 

    }

來源

2017-03-15 17:34:15

相關問題

 相關問題