我正在嘗試生成AWS4簽名以直接從客戶端瀏覽器上傳到S3存儲桶。我使用的例子在這裏生成C#簽名:Aws簽名版本4策略不匹配示例
AWS - Deriving the Signing Key with .NET (C#)
以驗證所產生的政策和簽名是正確的,我用從這裏的例子訪問密鑰和策略:
AWS - Examples: Browser-Based Upload using HTTP POST (Using AWS Signature Version 4)
我試過幾種方法來生成策略,但它不匹配。我甚至從示例中複製並粘貼了確切的策略字符串。那麼,爲什麼不這項工作:
var policy = "{ \"expiration\": \"2015-12-30T12:00:00.000Z\"," +
"\"conditions\": [" +
"{\"bucket\": \"sigv4examplebucket\"}," +
"[\"starts-with\", \"$key\", \"user/user1/\"]," +
"{\"acl\": \"public-read\"}," +
"{\"success_action_redirect\": \"http://sigv4examplebucket.s3.amazonaws.com/successful_upload.html\"}," +
"[\"starts-with\", \"$Content-Type\", \"image/\"]," +
"{\"x-amz-meta-uuid\": \"14365123651274\"}," +
"{\"x-amz-server-side-encryption\": \"AES256\"}," +
"[\"starts-with\", \"$x-amz-meta-tag\", \"\"]," +
"{\"x-amz-credential\": \"AKIAIOSFODNN7EXAMPLE/20151229/us-east-1/s3/aws4_request\"}," +
"{\"x-amz-algorithm\": \"AWS4-HMAC-SHA256\"}," +
"{\"x-amz-date\": \"20151229T000000Z\" }]}";
// hash the Base64 version of the policy document and pass this to the signer as the body hash
var policyStringBytes = Encoding.UTF8.GetBytes(policy);
return Convert.ToBase64String(policyStringBytes);
的例子說,該政策字符串應該是:
eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLA0KICAiY29uZGl0aW9ucyI6IFsNCiAgICB7ImJ1Y2tldCI6ICJzaWd2NGV4YW1wbGVidWNrZXQifSwNCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci91c2VyMS8iXSwNCiAgICB7ImFjbCI6ICJwdWJsaWMtcmVhZCJ9LA0KICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL3NpZ3Y0ZXhhbXBsZWJ1Y2tldC5zMy5hbWF6b25hd3MuY29tL3N1Y2Nlc3NmdWxfdXBsb2FkLmh0bWwifSwNCiAgICBbInN0YXJ0cy13aXRoIiwgIiRDb250ZW50LVR5cGUiLCAiaW1hZ2UvIl0sDQogICAgeyJ4LWFtei1tZXRhLXV1aWQiOiAiMTQzNjUxMjM2NTEyNzQifSwNCiAgICB7IngtYW16LXNlcnZlci1zaWRlLWVuY3 J5cHRpb24iOiAiQUVTMjU2In0sDQogICAgWyJzdGFydHMtd2l0aCIsICIkeC1hbXotbWV0YS10YWciLCAiIl0sDQoNCiAgICB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQUlPU0ZPRE5ON0VYQU1QTEUvMjAxNTEyMjkvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LA0KICAgIHsieC1hbXotYWxnb3JpdGhtIjogIkFXUzQtSE1BQy1TSEEyNTYifSwNCiAgICB7IngtYW16LWRhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfQ0KICBdDQp9
但上述返回方法:
eyAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTMwVDEyOjAwOjAwLjAwMFoiLCJjb25kaXRpb25zIjogW3siYnVja2V0IjogInNpZ3Y0ZXhhbXBsZWJ1Y2tldCJ9LFsic3RhcnRzLXdpdGgiLCAiJGtleSIsICJ1c2VyL3VzZXIxLyJdLHsiYWNsIjogInB1YmxpYy1yZWFkIn0seyJzdWNjZXNzX2FjdGlvbl9yZWRpcmVjdCI6ICJodHRwOi8vc2lndjRleGFtcGxlYnVja2V0Ln MzLmFtYXpvbmF3cy5jb20vc3VjY2Vzc2Z1bF91cGxvYWQuaHRtbCJ9LFsic3RhcnRzLXdpdGgiLCAiJENvbnRlbnQtVHlwZSIsICJpbWFnZS8iXSx7IngtYW16LW1ldGEtdXVpZCI6ICIxNDM2NTEyMzY1MTI3NCJ9LHsieC1hbXotc2VydmVyLXNpZGUtZW5jcnlwdGlvbiI6ICJBRVMyNTYifSxbInN0YXJ0cy13aXRoIiwgIiR4LWFtei1tZXRhLXRhZyIsICIiXSx7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQUlPU0ZPRE5ON0VYQU1QTEUvMjAxNTEyMjkvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LHsieC1hbXotYWxnb3JpdGhtIjogIkFXUzQtSE1BQy1TSEEyNTYifSx7IngtYW16LWRhdGUiOiAiMjAxNTEyMjlUMDAwMDAwWiIgfV19
如果我不能連得政策的字符串相匹配,那麼在生成匹配的簽名沒有希望。
對新行使用'\ n' – hjpotter92
*「如果我甚至不能獲得匹配的策略字符串,那麼生成匹配簽名就沒有希望了。」實際上,這不是真的案件。你是對的,簽名與示例不符......但只要base64編碼對於策略文檔是*正確*,並且只要策略文檔是有效的JSON(空白無效),你會想出一個*不同但仍然有效的簽名,因爲它是一個物理上不同但在邏輯上相同的請求。儘管如此,這本書還是值得讚揚的。 –
哦,是的...不要試着手工製作這些東西。使用實際編碼JSON的庫。 –