MS Azure 资源提供程序 SDK - 身份验证
MS Azure Resource Provider SDK - Authentication
我正在尝试实施此处描述的 MS Azure 身份验证:
https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication
但唯一说明的是:
You are responsible for verifying the caller's certificate thumbprint.
Only accept calls from certificates that have the correct public key.
怎么做?最好在 PHP。提前致谢。
据我了解,资源提供程序 (RP) API 是 HTTP RESTful,这里是证书:https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/misc/AzureStoreLatest.cer that used by Azure to call your RP. To implement your RP authentication that mentioned on https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication, you can leverage verifying the certificate which sent from requests to your RP. Based on my experience, usually we check Serial number or Thumbprint of a certificate to verify its authorization, the official samples which are published at https://github.com/Azure/azure-resource-provider-sdk/tree/master/samples 使用相同的方式进行证书验证。例如。以下是 AuthorizeRequest 的 C# 版本供您参考:
public static bool AuthorizeRequest(X509Certificate2 clientCertificate)
{
if (ConfigurationDataProvider.AzureStoreRequestAuthorization)
{
if (clientCertificate == null || (
// BaltimoreRdfeExtensibilityClientProd.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("F2693F8487AB975A28C19610A672E59DDCF873F2", StringComparison.OrdinalIgnoreCase) &&
// BaltimoreRdfeExtensibilityClientStage.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("19D02B07DEC22C0998BB266A7DA5BA8B4D42A0A6", StringComparison.OrdinalIgnoreCase)
))
{
Logger.ErrorFormat(
format : "Unauthorized access to Azure Store integration endpoints: {0}, {1}",
arg0 : clientCertificate != null ? clientCertificate.Subject : "<null>",
arg1 : clientCertificate != null ? clientCertificate.Thumbprint : "<null>"
);
return false;
}
}
return true;
}
在PHP & OpenSSL中,我们可以利用SSL_CLIENT_M_SERIAL变量:http://pilif.github.io/2013/07/how-to-accept-ssl-client-certificates/获取客户端证书的序列号,然后检查该值是否等于[=的序列号30=]。 (您可以在代码中硬编码序列号,就像上面的 C# 示例一样)
我想指出一些使用 RP 的概念和技巧 API:
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/concepts.md
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/tips-and-tricks.md
如果您在实施过程中有任何进一步的疑虑,请随时告诉我们并提供有关您尝试过的内容的更多信息。
我正在尝试实施此处描述的 MS Azure 身份验证: https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication 但唯一说明的是:
You are responsible for verifying the caller's certificate thumbprint. Only accept calls from certificates that have the correct public key.
怎么做?最好在 PHP。提前致谢。
据我了解,资源提供程序 (RP) API 是 HTTP RESTful,这里是证书:https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/misc/AzureStoreLatest.cer that used by Azure to call your RP. To implement your RP authentication that mentioned on https://github.com/Azure/azure-resource-provider-sdk/tree/master/docs#authentication, you can leverage verifying the certificate which sent from requests to your RP. Based on my experience, usually we check Serial number or Thumbprint of a certificate to verify its authorization, the official samples which are published at https://github.com/Azure/azure-resource-provider-sdk/tree/master/samples 使用相同的方式进行证书验证。例如。以下是 AuthorizeRequest 的 C# 版本供您参考:
public static bool AuthorizeRequest(X509Certificate2 clientCertificate)
{
if (ConfigurationDataProvider.AzureStoreRequestAuthorization)
{
if (clientCertificate == null || (
// BaltimoreRdfeExtensibilityClientProd.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("F2693F8487AB975A28C19610A672E59DDCF873F2", StringComparison.OrdinalIgnoreCase) &&
// BaltimoreRdfeExtensibilityClientStage.cer, will expire on Saturday, February 14, 2015
!clientCertificate.Thumbprint.Equals("19D02B07DEC22C0998BB266A7DA5BA8B4D42A0A6", StringComparison.OrdinalIgnoreCase)
))
{
Logger.ErrorFormat(
format : "Unauthorized access to Azure Store integration endpoints: {0}, {1}",
arg0 : clientCertificate != null ? clientCertificate.Subject : "<null>",
arg1 : clientCertificate != null ? clientCertificate.Thumbprint : "<null>"
);
return false;
}
}
return true;
}
在PHP & OpenSSL中,我们可以利用SSL_CLIENT_M_SERIAL变量:http://pilif.github.io/2013/07/how-to-accept-ssl-client-certificates/获取客户端证书的序列号,然后检查该值是否等于[=的序列号30=]。 (您可以在代码中硬编码序列号,就像上面的 C# 示例一样)
我想指出一些使用 RP 的概念和技巧 API:
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/concepts.md
https://github.com/Azure/azure-resource-provider-sdk/blob/master/docs/tips-and-tricks.md
如果您在实施过程中有任何进一步的疑虑,请随时告诉我们并提供有关您尝试过的内容的更多信息。