MS Azure 资源提供程序 SDK - 身份验证

MS Azure Resource Provider SDK - Authentication

我正在尝试实施此处描述的 MS Azure 身份验证: https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication 但唯一说明的是:

You are responsible for verifying the caller's certificate thumbprint. Only accept calls from certificates that have the correct public key.

怎么做?最好在 PHP。提前致谢。

据我了解,资源提供程序 (RP) API 是 HTTP RESTful,这里是证书:https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/misc/AzureStoreLatest.cer that used by Azure to call your RP. To implement your RP authentication that mentioned on https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication, you can leverage verifying the certificate which sent from requests to your RP. Based on my experience, usually we check Serial number or Thumbprint of a certificate to verify its authorization, the official samples which are published at https://github.com/Azure/azure-resource-provider-sdk/tree/master/samples 使用相同的方式进行证书验证。例如。以下是 AuthorizeRequest 的 C# 版本供您参考:

    public static bool AuthorizeRequest(X509Certificate2 clientCertificate)
    {
        if (ConfigurationDataProvider.AzureStoreRequestAuthorization)
        {
            if (clientCertificate == null || (
                // BaltimoreRdfeExtensibilityClientProd.cer, will expire on Saturday, February 14, 2015
                !clientCertificate.Thumbprint.Equals("F2693F8487AB975A28C19610A672E59DDCF873F2", StringComparison.OrdinalIgnoreCase) &&

                // BaltimoreRdfeExtensibilityClientStage.cer, will expire on Saturday, February 14, 2015
                !clientCertificate.Thumbprint.Equals("19D02B07DEC22C0998BB266A7DA5BA8B4D42A0A6", StringComparison.OrdinalIgnoreCase)
            ))
            {
                Logger.ErrorFormat(
                    format  : "Unauthorized access to Azure Store integration endpoints: {0}, {1}", 
                    arg0    : clientCertificate != null ? clientCertificate.Subject     : "<null>",
                    arg1    : clientCertificate != null ? clientCertificate.Thumbprint  : "<null>"
                );

                return false;
            }
        }

        return true;
    }

在PHP & OpenSSL中,我们可以利用SSL_CLIENT_M_SERIAL变量:http://pilif.github.io/2013/07/how-to-accept-ssl-client-certificates/获取客户​​端证书的序列号,然后检查该值是否等于[=的序列号30=]。 (您可以在代码中硬编码序列号,就像上面的 C# 示例一样)

我想指出一些使用 RP 的概念和技巧 API:

https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/concepts.md

https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/tips-and-tricks.md

如果您在实施过程中有任何进一步的疑虑,请随时告诉我们并提供有关您尝试过的内容的更多信息。