search

apigee / iloveapis2015-hmac-httpsignature

Apache License 2.0
11 stars 6 forks source link

Issue with HMAC created using Crypto-JS #1

Open PradeepAnde opened 8 years ago

PradeepAnde commented 8 years ago

Hi, We are using Crypto-js to create HMAC and send the request to the Proxy.

The HMAC which is created using JAVA "hmac-edge-callout.jar" is different. 

       data = CryptoJS.enc.Utf8.parse(data);
        var hashSign = CryptoJS.HmacSHA512(data, apiSecret);

var buffer = new Buffer(hashSign); var toBase64 = buffer.toString('base64');

DinoChiesa commented 8 years ago

Is it an HMAC 512 in the server? I think it might be HMAC 256. Can you check?

-DC

On Jun 6, 2016, at 8:30 PM, PradeepAnde notifications@github.com wrote:

Hi, We are using Crypto-js to create HMAC and send the request to the Proxy.

The HMAC which is created using JAVA "hmac-edge-callout.jar" is different.

   data = CryptoJS.enc.Utf8.parse(data);
    var hashSign = CryptoJS.HmacSHA512(data, apiSecret);

var buffer = new Buffer(hashSign); var toBase64 = buffer.toString('base64');

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

DinoChiesa commented 8 years ago

I should have mentioned:

I've used crypto-JS in multiple different clients against this code and it works. But you need to make sure the bit strength is correct on both sides.

-DC

On Jun 6, 2016, at 8:30 PM, PradeepAnde notifications@github.com wrote:

Hi, We are using Crypto-js to create HMAC and send the request to the Proxy.

The HMAC which is created using JAVA "hmac-edge-callout.jar" is different.

   data = CryptoJS.enc.Utf8.parse(data);
    var hashSign = CryptoJS.HmacSHA512(data, apiSecret);

var buffer = new Buffer(hashSign); var toBase64 = buffer.toString('base64');

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

PradeepAnde commented 8 years ago

We are using SHA512. Below is the code. Can you please post cryptoJS code.

We are creating HMAC using crypto-JS and sending the request to Proxy. We have created a Java call out using "hmac-edge-callout.jar" to verify the HMAC.

I am new to APIGEE, any suggestions will be helpful. Please find below code. 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="false" name="JC-Verify-HMAC">
    <DisplayName>JC Verify HMAC</DisplayName>
    <Properties>
        <!-- name of the variable that holds the key //{verifyapikey.verify-api-key.client_secret}-->
        <Property name="key">{.client_secret}</Property>
        <Property name="algorithm">SHA-512</Property>
        <Property name="string-to-sign"> {request.verb}{client.scheme}://{request.header.host}{message.uri}{request.content}</Property>
        <Property name="hmac-base64">{request.header.Authorization}</Property>
        <Property name="debug">true</Property>
    </Properties>
    <FaultRules>
        <FaultRule name="rule1">
            <Step>
                <Name>RF-invalid-hmac</Name>
            </Step>
            <Condition>hmac.error != null</Condition>
        </FaultRule>
    </FaultRules>
    <ClassName>com.apigee.callout.hmac.HmacCreatorCallout</ClassName>
    <ResourceURL>java://hmac-edge-callout.jar</ResourceURL>
</JavaCallout>