有大佬对腾讯云 API 的签名有研究嘛,可以帮看看问题嘛

2023-08-24 21:03:59 +08:00
 kincaid

试着写了一下 ACME dnsapi 的腾讯云 API3.0 版本,但是执行的时候卡到了计算签名的过程 签名算法说明文档: https://cloud.tencent.com/document/api/1427/56189

++ _hmac sha256 de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa dnspod hex
++ alg=sha256
++ secret_hex=de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
++ outputhex=dnspod
++ '[' -z de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa ']'
++ '[' sha256 = sha256 ']'
++ '[' dnspod ']'
++ tr -d ' '
++ openssl dgst -sha256 -mac HMAC -macopt hexkey:de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
卡这不动了

代码如下

#!/usr/bin/env sh
set -x
Tencent_API="https://dnspod.tencentcloudapi.com"

#Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA"
#Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA"

#Usage: dns_tencent_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_tencent_add() {
  fulldomain=$1
  txtvalue=$2

  Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
  Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
  if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then
    Tencent_SecretId=""
    Tencent_SecretKey=""
    _err "You don't specify tencent api SecretId and SecretKey yet."
    return 1
  fi

  #save the api SecretId and SecretKey to the account conf file.
  _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId"
  _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey"

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    return 1
  fi

  _debug "Add record"
  _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord"
}

dns_tencent_rm() {
  fulldomain=$1
  txtvalue=$2
  Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
  Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    return 1
  fi

  _debug "Get record list"
  _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"

  record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
  _debug2 record_id "$record_id"

  if [ -z "$record_id" ]; then
    _debug "record not found, skip"
  else
    _debug "Delete record"
    _delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
  fi
}

####################  Private functions below ##################################

_get_root() {
  domain=$1
  i=2
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi

    _describe_records_query "$h" "@"
    if ! _tencent_rest "DescribeRecordList" "ignore"; then
      return 1
    fi

    if _contains "$response" "\"TotalCount\":"; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _debug _sub_domain "$_sub_domain"
      _domain="$h"
      _debug _domain "$_domain"
      return 0
    fi
    p="$i"
    i=$(_math "$i" + 1)
  done
  return 1
}

_tencent_rest() {
  action=$1
  timestamp=$(date -u +%s)
  date=$(date -u +"%Y-%m-%d")
  service="dnspod"
  algorithm="TC3-HMAC-SHA256"

  signedHeaders="content-type;host;x-tc-action;x-tc-timestamp;x-tc-version;x-tc-region"
  payloadHash=$(printf "%s" "$query" | _digest "sha256" hex)
  canonicalRequest="POST\n/\n\ncontent-type:application/json;charset=utf-8\nhost:dnspod.tencentcloudapi.com\nx-tc-action:$action\nx-tc-timestamp:$timestamp\nx-tc-version:2018-08-13\nx-tc-region:ap-guangzhou\n\n$signedHeaders\n$payloadHash"
  hashedCanonicalRequest=$(printf "%s" "$canonicalRequest" | _digest "sha256" hex)

  credentialScope="$date/$service/tc3_request"
  stringToSign="$algorithm\n$timestamp\n$credentialScope\n$hashedCanonicalRequest"
  secretDate=$(printf "%s" "TC3$Tencent_SecretKey" | _hmac "sha256" "$date" hex)
  secretService=$(_hmac "sha256" "$secretDate" "$service" hex)
  secretSigning=$(_hmac "sha256" "$secretService" "tc3_request" hex)
  signature=$(_hmac "sha256" "$secretSigning" "$stringToSign" hex)

  authorization="$algorithm Credential=$Tencent_SecretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
  header="Authorization: $authorization"
  header="$header"$'\n'"Content-Type: application/json;charset=utf-8"
  header="$header"$'\n'"Host: dnspod.tencentcloudapi.com"
  header="$header"$'\n'"X-TC-Action: $action"
  header="$header"$'\n'"X-TC-Timestamp: $timestamp"
  header="$header"$'\n'"X-TC-Version: 2018-08-13"
  header="$header"$'\n'"X-TC-Region: ap-guangzhou"

  if ! response="$(_post "$query" "$Tencent_API" "" "POST" "application/json" "$header")"; then
    _err "Error <$1>"
    return 1
  fi

  _debug2 response "$response"
  if [ -z "$2" ]; then
    message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
    if [ "$message" ]; then
      _err "$message"
      return 1
    fi
  fi
}

_add_record_query() {
  query=$(cat <<EOF
{
  "Domain": "$1",
  "SubDomain": "$2",
  "RecordType": "TXT",
  "RecordLine": "默认",
  "Value": "$3",
  "TTL": 600
}
EOF
)
}

_describe_records_query() {
  query=$(cat <<EOF
{
  "Offset": 0,
  "Limit": 3000,
  "Domain": "$1",
  "Subdomain": "$2",
  "RecordType": "TXT",
  "RecordLine": "默认"
}
EOF
)
}

_delete_record_query() {
  query=$(cat <<EOF
{
  "Domain": "$_domain",
  "RecordId": $1
}
EOF
)
}

_clean() {
  _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"

  record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
  _debug2 record_id "$record_id"

  if [ -z "$record_id" ]; then
    _debug "record not found, skip"
  else
    _delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
  fi
}

加了个 set -x 便于调试

1382 次点击
所在节点    云计算
4 条回复
xiangyuecn
2023-08-25 08:23:33 +08:00
中情局最喜欢你这样的了
kincaid
2023-08-25 09:28:14 +08:00
@xiangyuecn 腾讯云搞这套算法搞的,想要签名就得装一堆依赖,在 acme 上基本行不通哇
suijishu
2023-08-25 10:08:25 +08:00
@kincaid 知道一楼为啥这么说嘛,你发代码就发代码,别把 SecretId ,SecretKey 发出来啊,之前有个东西泄露就是这样泄露的。如果你写的是真的,快去重置去吧。
kincaid
2023-08-25 11:23:18 +08:00
@suijishu 哈哈哈,原来这样,我怎么可能把真的发出来,那是 GPT 出来的

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/968090

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX