V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Recommended Services
Amazon Web Services
LeanCloud
New Relic
ClearDB
kincaid
V2EX  ›  云计算

有大佬对腾讯云 API 的签名有研究嘛,可以帮看看问题嘛

  •  
  •   kincaid · 2023-08-24 21:03:59 +08:00 · 1437 次点击
    这是一个创建于 491 天前的主题,其中的信息可能已经有所发展或是发生改变。

    试着写了一下 ACME dnsapi 的腾讯云 API3.0 版本,但是执行的时候卡到了计算签名的过程 签名算法说明文档: https://cloud.tencent.com/document/api/1427/56189

    ++ _hmac sha256 de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa dnspod hex
    ++ alg=sha256
    ++ secret_hex=de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
    ++ outputhex=dnspod
    ++ '[' -z de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa ']'
    ++ '[' sha256 = sha256 ']'
    ++ '[' dnspod ']'
    ++ tr -d ' '
    ++ openssl dgst -sha256 -mac HMAC -macopt hexkey:de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
    卡这不动了
    

    代码如下

    #!/usr/bin/env sh
    set -x
    Tencent_API="https://dnspod.tencentcloudapi.com"
    
    #Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA"
    #Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA"
    
    #Usage: dns_tencent_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
    dns_tencent_add() {
      fulldomain=$1
      txtvalue=$2
    
      Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
      Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
      if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then
        Tencent_SecretId=""
        Tencent_SecretKey=""
        _err "You don't specify tencent api SecretId and SecretKey yet."
        return 1
      fi
    
      #save the api SecretId and SecretKey to the account conf file.
      _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId"
      _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey"
    
      _debug "First detect the root zone"
      if ! _get_root "$fulldomain"; then
        return 1
      fi
    
      _debug "Add record"
      _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord"
    }
    
    dns_tencent_rm() {
      fulldomain=$1
      txtvalue=$2
      Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
      Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
    
      _debug "First detect the root zone"
      if ! _get_root "$fulldomain"; then
        return 1
      fi
    
      _debug "Get record list"
      _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"
    
      record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
      _debug2 record_id "$record_id"
    
      if [ -z "$record_id" ]; then
        _debug "record not found, skip"
      else
        _debug "Delete record"
        _delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
      fi
    }
    
    ####################  Private functions below ##################################
    
    _get_root() {
      domain=$1
      i=2
      p=1
      while true; do
        h=$(printf "%s" "$domain" | cut -d . -f $i-100)
        if [ -z "$h" ]; then
          #not valid
          return 1
        fi
    
        _describe_records_query "$h" "@"
        if ! _tencent_rest "DescribeRecordList" "ignore"; then
          return 1
        fi
    
        if _contains "$response" "\"TotalCount\":"; then
          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
          _debug _sub_domain "$_sub_domain"
          _domain="$h"
          _debug _domain "$_domain"
          return 0
        fi
        p="$i"
        i=$(_math "$i" + 1)
      done
      return 1
    }
    
    _tencent_rest() {
      action=$1
      timestamp=$(date -u +%s)
      date=$(date -u +"%Y-%m-%d")
      service="dnspod"
      algorithm="TC3-HMAC-SHA256"
    
      signedHeaders="content-type;host;x-tc-action;x-tc-timestamp;x-tc-version;x-tc-region"
      payloadHash=$(printf "%s" "$query" | _digest "sha256" hex)
      canonicalRequest="POST\n/\n\ncontent-type:application/json;charset=utf-8\nhost:dnspod.tencentcloudapi.com\nx-tc-action:$action\nx-tc-timestamp:$timestamp\nx-tc-version:2018-08-13\nx-tc-region:ap-guangzhou\n\n$signedHeaders\n$payloadHash"
      hashedCanonicalRequest=$(printf "%s" "$canonicalRequest" | _digest "sha256" hex)
    
      credentialScope="$date/$service/tc3_request"
      stringToSign="$algorithm\n$timestamp\n$credentialScope\n$hashedCanonicalRequest"
      secretDate=$(printf "%s" "TC3$Tencent_SecretKey" | _hmac "sha256" "$date" hex)
      secretService=$(_hmac "sha256" "$secretDate" "$service" hex)
      secretSigning=$(_hmac "sha256" "$secretService" "tc3_request" hex)
      signature=$(_hmac "sha256" "$secretSigning" "$stringToSign" hex)
    
      authorization="$algorithm Credential=$Tencent_SecretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
      header="Authorization: $authorization"
      header="$header"$'\n'"Content-Type: application/json;charset=utf-8"
      header="$header"$'\n'"Host: dnspod.tencentcloudapi.com"
      header="$header"$'\n'"X-TC-Action: $action"
      header="$header"$'\n'"X-TC-Timestamp: $timestamp"
      header="$header"$'\n'"X-TC-Version: 2018-08-13"
      header="$header"$'\n'"X-TC-Region: ap-guangzhou"
    
      if ! response="$(_post "$query" "$Tencent_API" "" "POST" "application/json" "$header")"; then
        _err "Error <$1>"
        return 1
      fi
    
      _debug2 response "$response"
      if [ -z "$2" ]; then
        message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
        if [ "$message" ]; then
          _err "$message"
          return 1
        fi
      fi
    }
    
    _add_record_query() {
      query=$(cat <<EOF
    {
      "Domain": "$1",
      "SubDomain": "$2",
      "RecordType": "TXT",
      "RecordLine": "默认",
      "Value": "$3",
      "TTL": 600
    }
    EOF
    )
    }
    
    _describe_records_query() {
      query=$(cat <<EOF
    {
      "Offset": 0,
      "Limit": 3000,
      "Domain": "$1",
      "Subdomain": "$2",
      "RecordType": "TXT",
      "RecordLine": "默认"
    }
    EOF
    )
    }
    
    _delete_record_query() {
      query=$(cat <<EOF
    {
      "Domain": "$_domain",
      "RecordId": $1
    }
    EOF
    )
    }
    
    _clean() {
      _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"
    
      record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
      _debug2 record_id "$record_id"
    
      if [ -z "$record_id" ]; then
        _debug "record not found, skip"
      else
        _delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
      fi
    }
    

    加了个 set -x 便于调试

    第 1 条附言  ·  2023-08-31 20:11:27 +08:00
    官方答复后续将支持 shell 、lua 、dart 、swift 四个语言的签名代码,发布到官网 API 中心+github ,预计 9 月 30 日完成;
    另外 shell 可以参考另外一个大佬的 demo: https://www.rehiy.com/post/534/
    4 条回复    2023-08-25 11:23:18 +08:00
    xiangyuecn
        1
    xiangyuecn  
       2023-08-25 08:23:33 +08:00
    中情局最喜欢你这样的了
    kincaid
        2
    kincaid  
    OP
       2023-08-25 09:28:14 +08:00
    @xiangyuecn 腾讯云搞这套算法搞的,想要签名就得装一堆依赖,在 acme 上基本行不通哇
    suijishu
        3
    suijishu  
       2023-08-25 10:08:25 +08:00
    @kincaid 知道一楼为啥这么说嘛,你发代码就发代码,别把 SecretId ,SecretKey 发出来啊,之前有个东西泄露就是这样泄露的。如果你写的是真的,快去重置去吧。
    kincaid
        4
    kincaid  
    OP
       2023-08-25 11:23:18 +08:00
    @suijishu 哈哈哈,原来这样,我怎么可能把真的发出来,那是 GPT 出来的
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2819 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 32ms · UTC 02:45 · PVG 10:45 · LAX 18:45 · JFK 21:45
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.