I searched the other posts since I am not the only person with signature issues. I tried it with couple of languages and I always have the same problem.
What am I doing wrong with the API authentication with coinbase.com:
# normally I fetch the timestamp from https://api.coinbase.com/v2/time
TIMESTAMP=$(date +%s)
SIG=$(echo -n "${TIMESTAMP}GET/v2/accounts" | hmac256 --stdkey $COINBASE_SECRET)
curl https://api.coinbase.com/v2/accounts \
--header "CB-ACCESS-KEY: $COINBASE_KEY" \
--header "CB-ACCESS-SIGN: $SIG" \
--header "CB-ACCESS-TIMESTAMP: $TIMESTAMP" \
--header "CB-VERSION: 2016-03-08"
In go I am trying to do something like:
nonce := strconv.FormatInt(int64(time.Data.Epoch), 10)
message := nonce + req.Method + endpoint // endpoint "/v2/accounts"
req.Header.Set("CB-ACCESS-KEY", a.Key)
h := hmac.New(sha256.New, []byte(a.Secret))
h.Write([]byte(message))
signature := hex.EncodeToString(h.Sum(nil))
req.Header.Set("CB-ACCESS-SIGN", signature)
req.Header.Set("CB-ACCESS-TIMESTAMP", nonce)
req.Header.Set("CB-VERSION", "2016-03-08")
Also it seams that the sandbox is no longer supported since api.sandbox.coinbase.com is unavailable?!
Kind regards
For bash/curl the issue was the hmac tool I used with echo. Following worked for me with curl requests:
SIG=$(echo -n "${TIMESTAMP}GET/v2/accounts" | openssl dgst -sha256 -hmac "$COINBASE_SECRET" |cut -d' ' -f2);
In respect of golang I compared the hash sums and came to the conclusion that something is fishy with the current library I am using.
I wrote a library on my own (https://github.com/Zauberstuhl/go-coinbase) and now it works like a charm.
I am doing the same like above except I am using Sprintf for the final encoding but that should be the same.
Thanks anyway!
Related
hi guys i try to many day to run this code but returnme always code":-1022,"msg":"Signature for this request is not valid , but i am sure is correct a code , anyone can controll my script for see if is all ok ?? thanks at all for advice
APIKEY="MY APIKEY"
APISECRET="MY SECRET KEY"
URLPART2="symbol=BNBUSDT&side=BUY&type=LIMIT"eOrderQty=10&price=270.3&stopPrice=270.3&newOrderRespType=FULL"
RECVWINDOW=50000
RECVWINDOW="recvWindow=$RECVWINDOW"
TIMESTAMP="timestamp=$(( $(date +%s) *1000))"
QUERYSTRING="&$URLPART2&$RECVWINDOW&$TIMESTAMP"
SIGNATURE=$(echo -n "$QUERYSTRING" | openssl dgst -sha256 -hmac $APISECRET | cut -c 10-)
SIGNATURE="signature=$SIGNATURE"
#curl -s -H "X-MBX-APIKEY: $APIKEY" "https://api.binance.com/api/v3/order/test?$URLPART2&$RECVWINDOW&$TIMESTAMP&$SIGNATURE"
curl -H "X-MBX-APIKEY: $APIKEY" -X POST "https://api.binance.com/api/v3/order/test?$URLPART2&$RECVWINDOW&$TIMESTAMP&$SIGNATURE"
echo```
I am trying to use Hashicorp Vault to sign a file with RSASSA-PSS-4096. The file is too big for sending it to the server directly, so I want to prehash it locally and then send the digest via POST request to the Vault transit engine.
While the Vault signature verification works, the OpenSSL verification fails.
Please see my drafted script:
# Calculate SHA256 hash and convert to base64
sha256sum_base64=$(openssl dgst -sha256 -binary $1 | base64)
# Sign Hash Value with Vault
json_response=$(curl -s \
--header "X-Vault-Token: $(cat token)" \
--request POST \
--data-binary '{"input": "'"$sha256sum_base64"'", "prehashed": true, "signature_algorithm": "pss", "hash_algorithm": "sha2-256"}' \
http://127.0.0.1:8200/v1/transit/sign/rsa_4096)
# Extract base64 signature from the json response.
signature_base64=$(echo $json_response | python3 -c "import sys, json; print(json.load(sys.stdin)['data']['signature'])" | cut -d ":" -f 3)
# Convert signature from base64 to binary and write to file
sigfile=$1__signature.bin
echo $signature_base64 | openssl base64 -d -A -in - -out $sigfile
# Check whether signature is valid via OpenSSL
echo "OpenSSL --> " $(openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify rsa_4096_pub.pem -signature $sigfile $1)
# Check whether signature is valid via Vault
signature_vaultformat="vault:v1:$signature_base64"
verify_response=$(curl -s \
--header "X-Vault-Token: $(cat token)" \
--request POST \
--data-binary '{"input": "'"$sha256sum_base64"'", "signature": "'"$signature_vaultformat"'", "prehashed": true, "signature_algorithm": "pss", "hash_algorithm": "sha2-256"}' \
http://127.0.0.1:8200/v1/transit/verify/rsa_4096)
echo "Vault Verify --> " $(echo $verify_response | python3 -c "import sys, json; print(json.load(sys.stdin)['data']['valid'])")
What could be the problem here? I played with rsa_pss_saltlen parameters (e.g. -1) without success. Is there another OpenSSL parameter I am missing? Do I need to consider something for EMSA-PSS?
Here is a proof-of-concept where you can sign a piece of text using the Transit secrets engine and then verify the signature using openssl rather than using the Transit secrets engine again.
# Define our plaintext
TEXT="abc123"
# Encode our plaintext with base64
B64_ENCODED_TEXT=$(echo $TEXT | base64)
# Reset the transit secrets engine
vault secrets disable transit
vault secrets enable transit
# Create a key called 'test' using 'rsa-2048'
vault write -f transit/keys/test \
type='rsa-2048'
# Export the public key from the transit secret engine key named 'test'
PUBLIC_KEY=$(vault read -format=json transit/keys/test | \
jq -r '.data.keys."1".public_key')
# Sign our base64 encoded text using our transit key named 'test' and
# capture the signature
SIGNATURE=$(vault write -format=json transit/sign/test/sha2-256 \
input="$B64_ENCODED_TEXT" \
signature_algorithm="pss" | \
jq -r '.data.signature')
# Demonstrate that we can use transit to verify our signature
printf "\nVerifying signature using Vault Transit...\n"
vault write transit/verify/test/sha2-256 \
signature_algorithm="pss" \
input=$B64_ENCODED_TEXT \
signature=$SIGNATURE
# Write out public key to a file
echo $PUBLIC_KEY > publickey.pem
# Remove the metadata from the Vault supplied signature and decode the
# signature using base64, writing the raw signature to a file
echo $SIGNATURE | cut -d':' -f3 | base64 -d > sig
# Write the non-encoded plaintext to a file
echo "$TEXT" > mytext
# Use openssl to verify the signature using the base64 decoded raw signature
# along with the public key and the non-encoded plaintext
printf "\nVerifying signature using openssl...\n"
openssl dgst \
-sha256 \
-verify publickey.pem \
-signature sig \
-sigopt rsa_padding_mode:pss \
mytext
Some important notes below:
Note that ALL data that is signed by Vault Transit secret engine must first be base64 encoded.
When using openssl to verify a signature, you must make sure that you are using the correct signature algorithm.
When Vault provides a signature, it's in the following format: vault:v1:8SDd3WHDOjf7mq69... where vault denotes that it was signed by Vault, v1 denotes the version of the key and the final part is the actual signature that is encoded using base64. The openssl utility requires that the signature is binary and not base64. In order to verify this signature with openssl, you must remove the first 2 parts of the Vault provided signature. You must then decode the base64 encoded signature and use the resultant binary signature when verifying with openssl.
When verifying with openssl you can not use use the base64 encoded version of the text, you must use the non-base64 encoded plaintext.
I have a curl request in below format
curl -v -H "Content-Type:application/json" -H "x-user-id:xxx" -H "x-api-key:yyy" --data '{"logs":"'"${TEST_OUTPUT}"'","pass":"true | false"}' https://razeedash.one.qqq.cloud.com/api/v1/clusters/zzz/api/test_results
This works fine while I do from my MAC terminal. But the same command throws
13:49:26 {
13:49:26 "status": "error",
13:49:26 "message": "Invalid credentials"
13:49:26 }
I saw this post but not sure how else would I send a json body without curly braces. I know that we can save it as a file.json and use the file as body.But for some reasons that cannot be implemented in my scenario
In general, you should avoid trying to build JSON using string interpolation. Use a tool like jq to handle any necessary quoting.
jq -n --argson o "$TEST_OUTPUT" '{logs: $o, pass: "true | false"}' |
curl -v -H "Content-Type:application/json" \
-H "x-user-id:xxx" \
-H "x-api-key:yyy" \
--data #- \
https://razeedash.one.qqq.cloud.com/api/v1/clusters/zzz/api/test_results
However, if you can manage to correctly generate your JSON as you are now, you can just replace the jq command with echo:
echo '{"logs": ...' | curl ...
The #- argument to --data says to read from standard input.
I'm currently trying to generate an OAuth signature for my curl request header. These point to a NetSuite restlet. Resources online are either inconclusive or too high level for my understanding/lacking examples. How do I go about calculating the oauth_signature value for my request?
The following is my request with credentials ommitted:
curl --request GET \
--url 'https://rest.na1.netsuite.com/app/site/hosting/restlet.nl?script=foo&deploy=bar' \
--header 'Authorization: OAuth realm="'"$realm"'",oauth_consumer_key="'"$oauth_consumer_key"'",oauth_token="'"$oauth_token"'",oauth_signature_method="HMAC-SHA1",oauth_timestamp="'"$(OAuth_timestamp)"'",oauth_nonce="'"$(OAuth_nonce)"'",oauth_version="1.0",oauth_signature="'"$(OAuth_signature)"'"' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
| jq
Below is a list of the parameters I'm passing for the sake of readability:
params=(
oauth_consumer_key='foo'
oauth_signature_method='HMAC-SHA1'
oauth_version='1.0'
oauth_nonce=$(OAuth_nonce)
oauth_timestamp=$(OAuth_timestamp)
oauth_token='tokenfoo'
realm='4478811'
)
I am generating the timestamp and nonce like so:
OAuth_nonce () {
md5 <<< "$RANDOM-$(date +%s.%N)" | cut -d' ' -f 1
}
OAuth_timestamp () {
echo "$(date +%s)"
}
I got most of my resources from https://github.com/livibetter-backup/bash-oauth but no docs exist, the examples are poor, and the library itself doesn't seem to work when I've tested the functions.
All the values I use in the script (confirmed passing with bash +x) work when ran in Postman, but I can't calculate a oauth_signature value outside of it.
How do I create a OAuth_signature function that I can return a valid signature with? What parameters am I going to have to pass that function to calculate correctly? Is it possible or easier to generate perhaps using perl or python?
I try to create a file share on an existing Azure storage account via bash script. I only have the account name and key, but don't want to use login credentials.
This is what I have so far:
#!/bin/sh
DATE_ISO=$(date +"%Y-%m-%dT%H:%M:%S")
VERSION="2015-02-21"
curl --header "x-ms-version: ${VERSION}" --header "x-ms-date: ${DATE_ISO}" --header "Authorization: SharedKey mystorageaccount:?????" https://mystorageaccount.file.core.windows.net/myshare?restype=share
The documentation says, "Authorization" is required (syntax: Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>") and "Signature" is a Hash-based Message Authentication Code (HMAC) constructed from the request and computed by using the SHA256 algorithm, and then encoded by using Base64 encoding.
So how do I generate this Signature?
Try this to create Share with bash script.
#!/bin/sh
STORAGE_KEY="$1"
STORAGE_ACCOUNT="$2"
SHARE_NAME="$3"
DATE_ISO=$(TZ=GMT date "+%a, %d %h %Y %H:%M:%S %Z")
VERSION="2015-12-11"
HEADER_RESOURCE="x-ms-date:$DATE_ISO\nx-ms-version:$VERSION"
URL_RESOURCE="/$STORAGE_ACCOUNT/$SHARE_NAME\nrestype:share"
STRING_TO_SIGN="PUT\n\n\n\n\n\n\n\n\n\n\n\n$HEADER_RESOURCE\n$URL_RESOURCE"
DECODED_KEY="$(echo -n $STORAGE_KEY | base64 -d -w0 | xxd -p -c256)"
SIGN=$(printf "$STRING_TO_SIGN" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$DECODED_KEY" -binary | base64 -w0)
curl -X PUT \
-H "x-ms-date:$DATE_ISO" \
-H "x-ms-version:$VERSION" \
-H "Authorization: SharedKey $STORAGE_ACCOUNT:$SIGN" \
-H "Content-Length:0" \
"https://$STORAGE_ACCOUNT.file.core.windows.net/$SHARE_NAME?restype=share"
Try this to create Directory under the specified share.
#!/bin/sh
STORAGE_KEY="$1"
STORAGE_ACCOUNT="$2"
SHARE_NAME="$3"
DIRECTORY_NAME="$4"
DATE_ISO=$(TZ=GMT date "+%a, %d %h %Y %H:%M:%S %Z")
VERSION="2015-12-11"
HEADER_RESOURCE="x-ms-date:$DATE_ISO\nx-ms-version:$VERSION"
URL_RESOURCE="/$STORAGE_ACCOUNT/$SHARE_NAME/$DIRECTORY_NAME\nrestype:directory"
STRING_TO_SIGN="PUT\n\n\n\n\n\n\n\n\n\n\n\n$HEADER_RESOURCE\n$URL_RESOURCE"
DECODED_KEY="$(echo -n $STORAGE_KEY | base64 -d -w0 | xxd -p -c256)"
SIGN=$(printf "$STRING_TO_SIGN" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$DECODED_KEY" -binary | base64 -w0)
curl -X PUT \
-H "x-ms-date:$DATE_ISO" \
-H "x-ms-version:$VERSION" \
-H "Authorization: SharedKey $STORAGE_ACCOUNT:$SIGN" \
-H "Content-Length:0" \
"https://$STORAGE_ACCOUNT.file.core.windows.net/$SHARE_NAME/$DIRECTORY_NAME?restype=directory"