c# - Azure IOT 中心 - 设备安全 token

Question

所以我们使用 MQTT 来连接设备/服务器。我使用 M2Mqtt 库的模拟客户端让一切正常工作。我真正困扰的是如何在代码中生成密码字段中使用的签名。

我关注了这个https://azure.microsoft.com/en-us/documentation/articles/iot-hub-sas-tokens/然而我正在围绕 HMAC 方面进行斗争。他们所说的“**签名 key **”是什么？这是设备共享访问 key 吗？现在，让模拟客户端在代码中创建自己的签名(而不是通过设备资源管理器)是至关重要的，然后我们甚至担心我们的现场产品是否可以计算此签名(发现这对于现场设备来说确实过于复杂)。除了node.js 之外，是否有我可以遵循的 C# 示例 - 这行代码的意思是“hmac.update(toSign);”

有没有更简单的方法来向服务器验证设备？也许只是使用其共享访问 key ？

对所有问题表示抱歉:/可能我只需要关于什么/何时进行 URI 编码/Base64 编码/解码、HMAC 256 等的分步指南，因为我认为文档还远远不够。

"{signature} 格式为 {URL-encoded-resourceURI} + "\n"+ expiry 的 HMAC-SHA256 签名字符串。重要提示:该 key 从 Base64 解码并用作执行 HMAC-SHA256 的 key 计算。”

Answer 1

这有一天会对某人有所帮助:

构建 Azure IoT 中心的授权 header

https://github.com/snobu/Azure-IoT-Hub/blob/master/make-token.sh

#!/usr/bin/env bash
#
# GitHub repo:
#    https://github.com/snobu/Azure-IoT-Hub
#
# Construct authorization header for Azure IoT Hub
#    https://azure.microsoft.com/en-us/documentation/articles/iot-hub-devguide/#security
#
# The security token has the following format:
#    SharedAccessSignature sig={signature-string}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}
#
# Author:
#    Adrian Calinescu (<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0b6a266a6f686a67624b666268796478646d7f25686466" rel="noreferrer noopener nofollow">[email protected]</a>), Twitter: @evilSnobu, github.com/snobu
#
# Many things borrowed from:
#    http://stackoverflow.com/questions/20103258/accessing-azure-blob-storage-using-bash-curl
#
# Prereq:
#    OpenSSL
#    npm install underscore -g (for the tidy JSON colorized output) - OPTIONAL
#    Python 2.6 (Might work with 2.5 too)
#    curl (a build from this century should do)

urlencodesafe() {
    # Use urllib to safely urlencode stuff
    python -c "import urllib, sys; print urllib.quote_plus(sys.argv[1])" $1
}

iothub_name="heresthething"
apiversion="2015-08-15-preview"
req_url="${iothub_name}.azure-devices.net/devices?top=100&api-version=${apiversion}"

sas_key="eU2XXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
sas_name="iothubowner"

authorization="SharedAccessSignature"

# 259200 seconds = 72h (Signature is good for the next 72h)
expiry=$(echo $(date +%s)+259200 | bc)
req_url_encoded=$(urlencodesafe $req_url)
string_to_sign="$req_url_encoded\\n$expiry"

# Create the HMAC signature for the Authorization header
#
# In pseudocode:
#      BASE64_ENCODE(HMAC_SHA256($string_to_sign))
#
# With OpenSSL it's a little more work (StackOverflow thread at the top for details)
decoded_hex_key=$(printf %b "$sas_key" | base64 -d -w0 | xxd -p -c256)
signature=$(printf %b "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" -binary | base64 -w0)

# URLencode computed HMAC signature
sig_urlencoded=$(urlencodesafe $signature)

# Print Authorization header
authorization_header="Authorization: $authorization sr=$req_url_encoded&sig=$sig_urlencoded&se=$expiry&skn=$sas_name"

echo -e "\n$authorization_header\n"

# We're ready to make the GET request against azure-devices.net REST API
curl -s -H "$authorization_header" "https://$req_url" | underscore print --color

echo -e "\n"

以及 Azure IoT 中心的示例 MQTT 用户/密码组合(是的，密码很残酷并且包含空格):

https://github.com/Azure/azure-content/blob/master/articles/iot-hub/iot-hub-devguide.md#example

用户名(DeviceId 区分大小写): iothubname.azure-devices.net/DeviceId

密码(使用 Device Explorer 生成 SAS): SharedAccessSignature sr=iothubname.azure-devices.net%2fdevices%2fDeviceId&sig=kPszxZZZZZZZZZZZZZZZZZAhLT%2bV7o%3d&se=1487709501