Azure IOT Hub - 设备安全令牌

时间:2016-05-20 12:44:27

标签: c# azure mqtt hmac azure-iot-hub

所以我们使用MQTT连接设备/服务器。我使用M2Mqtt库使用模拟客户端工作。我真正挣扎的是如何在代码中生成密码字段中使用的 签名

我跟着这个https://azure.microsoft.com/en-us/documentation/articles/iot-hub-sas-tokens/然而我正在与HMAC方面进行斗争。他们谈到的“**签名关键**”是什么?这是设备共享访问密钥吗?现在只需让模拟客户端在代码中创建自己的签名(而不是通过设备资源管理器)是至关重要的,我们甚至担心我们的现场产品是否能够计算出这一点(对于现场设备来说,这真的过于复杂)。除了node.js之外,还有一个C#示例吗?这行是什么意思“hmac.update(toSign);”

有没有更简单的方法来验证设备到服务器?也许只是使用它的共享访问密钥?

对不起所有的问题:/可能我只需要一步一步指导什么/何时进行URI编码/ Base64编码/解码,HMAC 256等,因为我认为文档远远不够。

“{signature} HMAC-SHA256签名字符串格式为:{URL-encoded-resourceURI} +”\ n“+ expiry。重要:密钥从base64解码并用作执行HMAC-SHA256的密钥计算“。

4 个答案:

答案 0 :(得分:0)

页面https://azure.microsoft.com/en-us/documentation/articles/iot-hub-sas-tokens/包含一个Node.js函数,该函数根据给定的输入生成SAS令牌。 根据您的说法,您正在使用令牌来启用设备以连接到您的IoT Hub,因此节点功能的输入应为:

  • 资源URI:{IoT hub name} .azure-devices.net / devices / {device id}。
  • 签名密钥:{device id}身份的任何对称密钥。您可以从IoT Hub设备标识注册表中获取此密钥 - 例如,使用DeviceExplorer工具。
  • 没有政策名称。
  • 任何到期时间。

答案 1 :(得分:0)

终于明白了:)

    public static string getSaSToken()
    {
        TimeSpan fromEpochStart = DateTime.UtcNow - new DateTime(1970, 1, 1);
        string expiry = Convert.ToString((int)fromEpochStart.TotalSeconds + 3600);

        string baseAddress = "XYZABCBLAH.azure-devices.net/devices/12345".ToLower();
        string stringToSign = WebUtility.UrlEncode(baseAddress).ToLower() + "\n" + expiry;

        byte[] data = Convert.FromBase64String("y2moreblahblahblah=");
        HMACSHA256 hmac = new HMACSHA256(data);
        byte[] poo = hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
        string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));

        string token = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}",
                        WebUtility.UrlEncode(baseAddress).ToLower(), WebUtility.UrlEncode(signature), expiry);

        return token;
    }

“12345”是我们设备的序列号。 y2z的关键....将是我们的串口与其他花哨的基础64组合(只要它在base64格式,以使集线器愉快;)

答案 2 :(得分:0)

有一天这会对某人有所帮助:

构建Azure IoT Hub的授权标头

https://github.com/snobu/Azure-IoT-Hub/blob/master/make-token.sh 

#!/usr/bin/env bash
#
# GitHub repo:
#    https://github.com/snobu/Azure-IoT-Hub
#
# Construct authorization header for Azure IoT Hub
#    https://azure.microsoft.com/en-us/documentation/articles/iot-hub-devguide/#security
#
# The security token has the following format:
#    SharedAccessSignature sig={signature-string}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}
#
# Author:
#    Adrian Calinescu (a-adcali@microsoft.com), Twitter: @evilSnobu, github.com/snobu
#
# Many things borrowed from:
#    http://stackoverflow.com/questions/20103258/accessing-azure-blob-storage-using-bash-curl
#
# Prereq:
#    OpenSSL
#    npm install underscore -g (for the tidy JSON colorized output) - OPTIONAL
#    Python 2.6 (Might work with 2.5 too)
#    curl (a build from this century should do)

urlencodesafe() {
    # Use urllib to safely urlencode stuff
    python -c "import urllib, sys; print urllib.quote_plus(sys.argv[1])" $1
}

iothub_name="heresthething"
apiversion="2015-08-15-preview"
req_url="${iothub_name}.azure-devices.net/devices?top=100&api-version=${apiversion}"

sas_key="eU2XXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
sas_name="iothubowner"

authorization="SharedAccessSignature"

# 259200 seconds = 72h (Signature is good for the next 72h)
expiry=$(echo $(date +%s)+259200 | bc)
req_url_encoded=$(urlencodesafe $req_url)
string_to_sign="$req_url_encoded\\n$expiry"

# Create the HMAC signature for the Authorization header
#
# In pseudocode:
#      BASE64_ENCODE(HMAC_SHA256($string_to_sign))
#
# With OpenSSL it's a little more work (StackOverflow thread at the top for details)
decoded_hex_key=$(printf %b "$sas_key" | base64 -d -w0 | xxd -p -c256)
signature=$(printf %b "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" -binary | base64 -w0)

# URLencode computed HMAC signature
sig_urlencoded=$(urlencodesafe $signature)

# Print Authorization header
authorization_header="Authorization: $authorization sr=$req_url_encoded&sig=$sig_urlencoded&se=$expiry&skn=$sas_name"

echo -e "\n$authorization_header\n"

# We're ready to make the GET request against azure-devices.net REST API
curl -s -H "$authorization_header" "https://$req_url" | underscore print --color

echo -e "\n"

Azure IoT Hub的示例MQTT用户/传递组合(是的,密码是残酷的并且包含空格):

https://github.com/Azure/azure-content/blob/master/articles/iot-hub/iot-hub-devguide.md#example

用户名(DeviceId区分大小写): iothubname.azure-devices.net/DeviceId

密码(使用设备资源管理器生成SAS): SharedAccessSignature sr=iothubname.azure-devices.net%2fdevices%2fDeviceId&sig=kPszxZZZZZZZZZZZZZZZZZAhLT%2bV7o%3d&se=1487709501

答案 3 :(得分:0)

以下是如何在Java中生成SAS令牌:

import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Date;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class AzureSasTokenCreator
{

    public static void main(String[] args) throws InvalidKeyException, UnsupportedEncodingException,
                    MalformedURLException, NoSuchAlgorithmException
    {
        String token = generateSasTokenForIotDevice("myiothub.azure-devices.net/devices/mydevice",
                        "ZNILSsz4ke0r5DQ8rfB/PBWf6QqWGV7aaT/iICi9WTc=", 3600);

        System.out.println(token);
    }

    private static String generateSasTokenForIotDevice(String uri, String devicePrimaryKey, int validtySeconds)
                    throws UnsupportedEncodingException, MalformedURLException, NoSuchAlgorithmException,
                    InvalidKeyException
    {
        Date now = new Date();
        Date previousDate = new Date(1970);
        long tokenExpirationTime = ((now.getTime() - previousDate.getTime()) / 1000) + validtySeconds;

        String signature = getSignature(uri, tokenExpirationTime, devicePrimaryKey);

        String token = String.format("SharedAccessSignature sr=%s&sig=%s&se=%s", uri, signature,
                        String.valueOf(tokenExpirationTime));

        return token;
    }

    private static String getSignature(String resourceUri, long expiryTime, String devicePrimaryKey)
                    throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException
    {
        byte[] textToSign = new String(resourceUri + "\n" + expiryTime).getBytes();
        byte[] decodedDeviceKey = Base64.getDecoder().decode(devicePrimaryKey);
        byte[] signature = encryptHmacSha256(textToSign, decodedDeviceKey);
        byte[] encryptedSignature = Base64.getEncoder().encode(signature);
        String encryptedSignatureUtf8 = new String(encryptedSignature, StandardCharsets.UTF_8);

        return URLEncoder.encode(encryptedSignatureUtf8, "utf-8");
    }

    private static byte[] encryptHmacSha256(byte[] textToSign, byte[] key)
                    throws NoSuchAlgorithmException, InvalidKeyException

    {
        SecretKeySpec secretKey = new SecretKeySpec(key, "HmacSHA256");
        Mac hMacSha256 = Mac.getInstance("HmacSHA256");
        hMacSha256.init(secretKey);
        return hMacSha256.doFinal(textToSign);
    }
}

另请参阅:https://github.com/Breitmann/AzureSasTokenCreator

相关问题
最新问题