Azure DPS 上的 SAS 令牌与 Azure IoT Edge 不匹配

问题描述 投票:0回答:1

我最近遇到了 DPS 注册请求问题,出现错误“ {"Message":"{"errorCode":401002,"message":"指定的 SAS 令牌具有无效签名。它与主令牌或主令牌都不匹配中学密钥。","trackingId":"E377D48366F943E189A5FEA744D89D95-G2:-时间戳:2025-01-03T14:15:03.453324 531Z","timestampUtc":"2025-01-03T14:15:03.453324531Z","info":null}","ExceptionMessage":""}"。

我在不同的环境中有两个不同的 IoT 中心,并且我的设备正在使用组注册对称密钥运行 IoT Edge,但 Azure Identidy 守护程序似乎只能在其中一个 DPS 环境中注册。对于另一个,我有这个错误。我已经尝试过重新生成密钥。它已经工作了好几个月了,但突然在那种环境下就不再工作了。我不记得在设置中更改过任何内容。

感谢您的帮助

azure-iot-hub azure-iot-edge
1个回答
0
投票

该错误表示用于通过 Azure 设备预配服务 (DPS) 进行身份验证的 SAS 令牌签名无效或已过期。

以下是生成 SAS 令牌的代码:

 public static async Task Main(string[] args)
        {
            Parameters parameters = null;
            ParserResult<Parameters> parserResult = Parser.Default.ParseArguments<Parameters>(args)
                .WithParsed(parsedParams => parameters = parsedParams)
                .WithNotParsed(errors => Environment.Exit(1));

            Console.WriteLine("Creating SAS credential...");

            try
            {
                TimeSpan tokenValidity = TimeSpan.FromHours(1);
                DateTime expiresOn = DateTime.UtcNow.Add(tokenValidity);

                // Generate SAS token
                string sasToken = GenerateSasToken(
                    parameters.HostName,
                    parameters.SharedAccessKey,
                    parameters.SharedAccessKeyName,
                    expiresOn
                );

                AzureSasCredential sasCredential = new AzureSasCredential(sasToken);
                ProvisioningServiceClient provisioningServiceClient =
                    ProvisioningServiceClient.Create(parameters.HostName, sasCredential);

                Console.WriteLine("SAS credential successfully created.");
                var sample = new ProvisioningRoleBasedAuthenticationSample(provisioningServiceClient);
                await sample.RunSampleAsync();
            }
            catch (Exception ex)
            {
                Console.WriteLine($"An error occurred: {ex.Message}");
            }
        }

        private static string GenerateSasToken(string resourceUri, string sharedAccessKey, string policyName, DateTime expiresOn)
        {
            DateTime epochTime = new DateTime(1970, 1, 1);
            TimeSpan secondsFromEpochTime = expiresOn.Subtract(epochTime);
            long seconds = Convert.ToInt64(secondsFromEpochTime.TotalSeconds, CultureInfo.InvariantCulture);
            string expiry = seconds.ToString(CultureInfo.InvariantCulture);

            string stringToSign = $"{WebUtility.UrlEncode(resourceUri)}\n{expiry}";

            using (HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(sharedAccessKey)))
            {
                string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
                string token = $"SharedAccessSignature sr={WebUtility.UrlEncode(resourceUri)}&sig={WebUtility.UrlEncode(signature)}&se={expiry}";
                Console.WriteLine("sas token"+token);
                if (!string.IsNullOrWhiteSpace(policyName))
                {
                    token += $"&skn={policyName}";
                }

                return token;
            }
        }
    }

请参阅此链接,了解有关使用 Azure IoT 中心设备预配服务进行对称密钥证明的信息。

下面是新建一个注册组:

 public async Task CreateEnrollmentGroupAsync()
        {
            Console.WriteLine("Creating a new enrollment group...");
            Attestation attestation = new SymmetricKeyAttestation(null, null); // let the service generate keys
            var group = new EnrollmentGroup(s_enrollmentGroupId, attestation);

            group = await _provisioningServiceClient.CreateOrUpdateEnrollmentGroupAsync(group);
            Console.WriteLine($"Created {group.EnrollmentGroupId}: {JsonConvert.SerializeObject(group)}");
        }

请参阅此 link 以获取

EnrollmentGroup
的完整代码。请参阅此 so 以了解带 dps 的物联网边缘

输出:

EnrollmentGroupSample

EnrollmentGroupSample

© www.soinside.com 2019 - 2024. All rights reserved.