Last active
August 23, 2023 21:17
-
-
Save mrpinghe/f44479f2270ea36bf3b7cc958cc76cc0 to your computer and use it in GitHub Desktop.
Veracode custom HMAC request signing algorithm (used for API authorization)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var crypto = require('crypto'); | |
| const id = process.env.API_ID; // your API ID, reading from environment variable | |
| const key = process.env.KEY; // your API key, reading from environment variable | |
| const preFix = "VERACODE-HMAC-SHA-256"; | |
| const verStr = "vcode_request_version_1"; | |
| var resthost = "api.veracode.com"; // rest host | |
| var xmlhost = "analysiscenter.veracode.com"; // xml host | |
| var hmac256 = (data, key, format) => { | |
| var hash = crypto.createHmac('sha256', key).update(data); | |
| // no format = Buffer / byte array | |
| return hash.digest(format); | |
| } | |
| var getByteArray = (hex) => { | |
| var bytes = []; | |
| for(var i = 0; i < hex.length-1; i+=2){ | |
| bytes.push(parseInt(hex.substr(i, 2), 16)); | |
| } | |
| // signed 8-bit integer array (byte array) | |
| return Int8Array.from(bytes); | |
| } | |
| var getHost = (xml) => { | |
| if (xml) { | |
| return xmlhost; | |
| } | |
| return resthost; | |
| } | |
| var generateHeader = (url, method, xml) => { | |
| var host = getHost(xml); | |
| var data = `id=${id}&host=${host}&url=${url}&method=${method}`; | |
| var timestamp = (new Date().getTime()).toString(); | |
| var nonce = crypto.randomBytes(16).toString("hex"); | |
| // calculate signature | |
| var hashedNonce = hmac256(getByteArray(nonce), getByteArray(key)); | |
| var hashedTimestamp = hmac256(timestamp, hashedNonce); | |
| var hashedVerStr = hmac256(verStr, hashedTimestamp); | |
| var signature = hmac256(data, hashedVerStr, 'hex'); | |
| return `${preFix} id=${id},ts=${timestamp},nonce=${nonce},sig=${signature}`; | |
| } | |
| module.exports = { | |
| getHost, | |
| generateHeader | |
| } |
@falcond20 could you paste a screenshot of your terminal showing how you ran the command and the output, with your ID and Key values redacted?
Here is the screenshot @mrpinghe
Ah PowerShell. You want to use Set-Variable to set those variables I believe (I'm not too familiar with PowerShell) https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-variable?view=powershell-7.3
FYI - For those interested in using the Web Crypto API (e.g. browser) instead of the Node.js Crypto module, https://gist.github.com/ThibaudLopez/fe1baeaa4461cbf0bfa8fd258ff43243 (based on @mrpinghe work here)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
$ export API_ID=YOUR_API_ID_VALUE && export KEY=YOUR_KEY_VALUE && node test.js"
I cant seem to get it to work as i paste it in my terminal and get this error Uncaught SyntaxError: Unexpected token 'export'
What am I doing wrong?