Python 和 PHP 对腾讯云签名 hmac_sha256 算法实现

开宗明义,米扑科技在使用腾讯云的API接口签名中,按照官方示例开发PHP、Python的接口,经常会提示签名错误

1
2
3
4
5
6
7
8
9
{
  "Response": {
    "Error": {
      "Code": "InvalidParameter.SignatureFailure",
      "Message": "The provided credentials could not be validated. Please check your signature is correct."
    },
    "RequestId": "1ee6ae98-a971-ad9f-4ecc-abcd69ea1234"
  }
}

 

本文原文,请参见米扑博客:

Python 和 PHP 对腾讯云签名 hmac_sha256 算法实现


经过多次尝试探究,发现原因有二:

1)腾讯云官方示例不严谨,没有urlencode() 或 urllib.quote() 编码导致提示签名错误

2)腾讯官方只提供了PHP示例,没有提供Python示例,两者签名函数有一些细节

 

直接给出干货,下面示例是 米扑科技 封装好的腾讯云签名函数,以飨读者。

腾讯云签名:https://cloud.tencent.com/document/api/377/4214

阿里云签名:https://help.aliyun.com/document_detail/35735.html

米扑的官网:https://mimvp.com

 

PHP 签名示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
/**
 * 签名并获取URL结果,json格式返回
 *
 * 1. 查询弹性IP列表, DescribeAddresses
 * 2. 解绑弹性IP, DisassociateAddress
 * 3. 释放弹性IP, ReleaseAddresses
 * 4. 公网IP转弹性IP, TransformAddress
 *
 * @param string $req_action : DescribeAddresses, DisassociateAddress, ReleaseAddresses, TransformAddress
 * @param string $params : 以 & 开头, 如 &xxx=yyy
 */
function qcloud_eip_sign($req_action='DescribeAddresses', $req_region='ap-beijing'$req_extra_params='', $retry_NUM=3) {
    global $QCloud_SecretId;
    global $QCloud_SecretKey;
     
//  $req_action='DescribeAddresses'
//  $req_region = 'ap-beijing';                 // ap-guangzhou
 
    $req_method = 'GET';                            // GET  POST
    $req_api = 'eip.api.qcloud.com/v2/index.php';
    $req_version = '2017-03-12';
    $req_timestamp = strtotime(date('YmdHis')); // 1402992826
    $req_nonce = rand(1000, 1000000);           // 随机正整数
    $req_secretid = $QCloud_SecretId;           // 密钥ID,用作参数
    $req_secretkey = $QCloud_SecretKey;         // 密钥key,用作加密
    $req_signature_method = 'HmacSHA256';       // HmacSHA1(默认), HmacSHA256
    $req_signature = '';
     
//  $req_uri = "https://eip.api.qcloud.com/v2/index.php?Action=DescribeAddresses
//  &Version=2017-03-12
//  &AddressIds.1=eip-hxlqja90
//  &Region=ap-beijing
//  &Timestamp=1402992826
//  &Nonce=345122
//  &Signature=pStJagaKsV2QdkJnBQWYBDByZ9YPBsOi
//  &SecretId=AKIDpY8cxBD2GLGK9sT0LaqIczGLFxTsoDF6
     
    // 请求方法 + 请求主机 +请求路径 + ? + 请求字符串
    $req_params = sprintf("Action=%s&Region=%s&Version=%s&Timestamp=%s&Nonce=%s&SecretId=%s&SignatureMethod=%s%s", $req_action, $req_region, $req_version, $req_timestamp, $req_nonce, $req_secretid, $req_signature_method, $req_extra_params);
     
    $req_params_array = explode("&", $req_params);
    sort($req_params_array);        // 以value排序,value值为 Action=DescribeAddresses 、 Region=ap-beijing
    $req_params2 = implode("&", $req_params_array);
     
    $req_uri = sprintf("%s%s?%s", $req_method, $req_api, $req_params2);
    $req_signature = urlencode(base64_encode(hash_hmac('sha256', $req_uri, $req_secretkey, true)));     // urlencode(xxx)
    $req_url = sprintf("https://%s?%s&Signature=%s", $req_api, $req_params2, $req_signature);
    $res = curl_url($req_url);
     
    $retry_idx = 0;
    while(empty($res) && $retry_idx < $retry_NUM) {
        $retry_idx += 1;
        $res = curl_url($req_url);
    }
     
    if(!empty($res)) {
        $resJson = json_decode($res, true);
        $resJson = $resJson['Response'];
         
        echo sprintf("<br><br> +++++ action : %s <br><br> resJson: ", $req_action);
        print_r($resJson);
         
        return $resJson;
    }
    else {
        return null;
    }
}
 
 
$req_action_query = 'DescribeAddresses';        // 查询弹性IP
$req_action_unbind = 'DisassociateAddress';     // 解绑弹性IP
$req_action_release = 'ReleaseAddresses';       // 释放弹性IP
$req_action_transform = 'TransformAddress';     // 公网IP转弹性IP
 
$req_region = 'ap-guangzhou';
$req_extra_params = '';
 
// 1. 查询弹性IP列表
$resJson = qcloud_eip_sign($req_action_query, $req_region);
var_dump($resJson);

 

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
req_url: https://eip.api.qcloud.com/v2/index.php?Action=DescribeAddresses&Nonce=585269&Region=ap-guangzhou&SecretId=AKIDSmAAAA2DABCDpTkBBBBMLMFwY0HM1234&SignatureMethod=HmacSHA256&Timestamp=1520429723&Version=2017-03-12&Signature=8U6i3BKBWYWoit3t1egIE9ZC%2BdWtI46QuHLc%2FbhaWWg%3D
 
array (size=3)
  'TotalCount' => int 1
  'AddressSet' =>
    array (size=1)
      0 =>
        array (size=11)
          'AddressId' => string 'eip-qy123abc' (length=12)
          'AddressName' => null
          'AddressIp' => string '111.230.123.234' (length=15)
          'AddressStatus' => string 'BIND' (length=4)
          'InstanceId' => string 'ins-fabc1234' (length=12)
          'NetworkInterfaceId' => null
          'PrivateAddressIp' => string '10.104.245.26' (length=14)
          'IsArrears' => boolean false
          'IsBlocked' => boolean false
          'IsEipDirectConnection' => boolean false
          'CreatedTime' => string '2018-03-07T12:46:26Z' (length=20)
  'RequestId' => string 'ad28067e-d1f9-4c47-932e-6bba1d123456' (length=36)

 

代码说明:

1)函数抽象封装签名方法,方便管理维护,减少开发工作量

2)参数按照升序排列 explode(xxx) —> sort($req_params_array) —> implode(xxx)

3)签名方法,需要添加 urlencode,否则经常提示签名错误,原因是未urlencode会有一些 空格、加号(+)、等号(=)等特殊字符

$req_signature = urlencode(base64_encode(hash_hmac('sha256', $req_uri, $req_secretkey, true)));       // urlencode(xxx)

 

 

Python 签名示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/env python
# -*- coding:utf-8 -*-
#
# mimvp.com
# 2018-01-08
 
 
import time, datetime, os, json
import urllib, urllib2
import hashlib, base64, hmac, random
import logging
import logging.handlers
 
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
 
 
## 腾讯云API接口签名
def qcloud_eip_sign(req_action='DescribeAddresses', req_region='ap-beijing',  req_extra_params='', retry_NUM=3):
    req_method = 'GET'                              # GET  POST
    req_api = 'eip.api.qcloud.com/v2/index.php'
    req_version = '2017-03-12'
    req_timestamp = int(time.time())                # 1520422452
    req_nonce = random.randint(1000, 1000000)       # 随机正整数
    req_secretid = QCLOUD_SecretId                  # 密钥ID,用作参数
    req_secretkey = QCLOUD_SecretKey                # 密钥key,用作加密
    req_signature_method = 'HmacSHA256'             # HmacSHA1(默认), HmacSHA256
    req_signature = ''
     
#     req_uri = "https://eip.api.qcloud.com/v2/index.php?Action=DescribeAddresses
#                 &Version=2017-03-12
#                 &AddressIds.1=eip-hxlqja90
#                 &Region=ap-beijing
#                 &Timestamp=1402992826
#                 &Nonce=345122
#                 &Signature=pStJagaKsV2QdkJnBQWYBDByZ9YPBsOi
#                 &SecretId=AKIDpY8cxBD2GLGK9sT0LaqIczGLFxTsoDF6
 
    # 请求方法 + 请求主机 +请求路径 + ? + 请求字符串
    req_params = "Action=%s&Region=%s&Version=%s&Timestamp=%s&Nonce=%s&SecretId=%s&SignatureMethod=%s%s" % (req_action, req_region, req_version, req_timestamp, req_nonce, req_secretid, req_signature_method, req_extra_params)
     
    req_params_array = req_params.split('&')
    req_params_array = sorted(req_params_array)          # 以value排序,value值为 Action=DescribeAddresses 、 Region=ap-beijing
    req_params2 = '&'.join(req_params_array);
    req_uri = "%s%s?%s" % (req_method, req_api, req_params2)
    req_signature = urllib.quote( base64.b64encode(hmac.new(req_secretkey, req_uri, digestmod=hashlib.sha256).digest()) )   # urllib.quote(xxx)
 
    req_url = "https://%s?%s&Signature=%s" % (req_api, req_params2, req_signature)
    logger.info('qcloud_eip_sign() - req_url: %s' % (req_url))
     
    res = spider_url(req_url)
     
    retry_idx = 0;
    while not res and retry_idx < retry_NUM:
        retry_idx += 1
        res = spider_url(req_url)
     
    if res :
        resJson = json.loads(res)
        resJson = resJson['Response']
        print "<br><br> +++++ action : %s <br><br> resJson: " % (req_action,)
        return resJson
    else:
        return None;
 
 
if __name__ == "__main__":
    req_action_query = 'DescribeAddresses'          # 查询弹性IP
    req_action_unbind = 'DisassociateAddress'       # 解绑弹性IP
    req_action_release = 'ReleaseAddresses'         # 释放弹性IP
    req_action_transform = 'TransformAddress'       # 公网IP转弹性IP
 
    req_region='ap-guangzhou'
    req_extra_params = '';
 
    # 1. 查询弹性IP列表
    resJson = qcloud_eip_sign(req_action_query, req_region)
    print json.dumps(resJson)

 

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
req_url: https://eip.api.qcloud.com/v2/index.php?Action=DescribeAddresses&Nonce=383782&Region=ap-guangzhou&SecretId=AKIDSmAAAA2DABCDpTkBBBBMLMFwY0HM1234&SignatureMethod=HmacSHA256&Timestamp=1520430569&Version=2017-03-12&Signature=Tsgwx2GV/%2BopDlHiMUg3H/rpIbQ5jPfe9tW3w9Slom4%3D
 
{
  "Response": {
    "TotalCount": 1,
    "AddressSet": [
      {
        "AddressId": "eip-qy123abc",
        "AddressName": null,
        "AddressIp": "111.230.123.234",
        "AddressStatus": "BIND",
        "InstanceId": "ins-fabc1234",
        "NetworkInterfaceId": null,
        "PrivateAddressIp": "10.104.245.26",
        "IsArrears": false,
        "IsBlocked": false,
        "IsEipDirectConnection": false,
        "CreatedTime": "2018-03-07T12:46:26Z"
      }
    ],
    "RequestId": "c2ab3f7f-9796-4ade-afb1-6bba1d123456"
  }
}

 

代码说明:

1)Python改写PHP代码,有一些细节,如 int(time.time())、random.randint(1000, 1000000)、sorted(req_params_array)等

2)参数按照升序排列 xxx.split('&') —> sort($req_params_array) —> '&'.join(xxx)

3)签名方法,需要添加 urllib.quote、base64.b64encode(xxx)、digest() 等,否则经常提示签名错误

req_signature = urllib.quote( base64.b64encode(hmac.new(req_secretkey, req_uri, digestmod=hashlib.sha256).digest()) )      # urllib.quote(xxx)

 

Python 代码里,特别要注意 hmac 签名 sha256 后获取的是 digest(),而不是 hexdigest()  这里错了会一直提示签名错误!

总结之PHP和Python的对应关系

1) PHP 签名

1
2
3
4
5
6
7
// sha1
$hmac_sha1_str = base64_encode(hash_hmac("sha1", $data, $secret_access_key));       // HMAC-SHA1加密
$signature = urlencode($hmac_sha1_str);                         // 编码URL
 
// sha256
$hmac_sha256_str = base64_encode(hash_hmac("sha256", $data, $secret_access_key));   // HMAC-SHA256加密
$signature = urlencode($hmac_sha256_str);                       // 编码URL

 

2)Python 签名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import urllib, base54, hashlib, hmac
 
# sha1
hmac_sha1_str = base64.b64encode( hmac.new(secret_access_key, data, digestmod=hashlib.sha1).digest() )
signature = urllib.quote(hmac_sha1_str)
 
# sha256
hmac_sha256_str = base64.b64encode( hmac.new(secret_access_key, data, digestmod=hashlib.sha256).digest() )
signature = urllib.quote(hmac_sha256_str)
 
 
# sha256
hmac_sha256_str = base64.b64encode( hmac.new(secret_access_key, data, digestmod=hashlib.sha256).hexdigest() )   # 16进制,错误
signature = urllib.quote(hmac_sha256_str)

 


发布了747 篇原创文章 · 获赞 3584 · 访问量 1413万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 编程工作室 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览