Skip to content

Instantly share code, notes, and snippets.

@m9aertner
Created June 8, 2018 16:54
Show Gist options
  • Save m9aertner/7ae804a5297617456f81c8b5a3a9305b to your computer and use it in GitHub Desktop.
Save m9aertner/7ae804a5297617456f81c8b5a3a9305b to your computer and use it in GitHub Desktop.
Using curl and openssl to access the Veracode API endpoint

Using curl and openssl to access the Veracode API endpoint

You can make requests to the Veracode service by sending an HMAC signature in the HTTP authorization header.

The mechanism is discussed on "Understanding API Access" https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/H0S3580tt9sPFz3IgSMvnA with a Java program as illustration. For an API wrapper in GO, see https://github.com/brian1917/vcodeHMAC.

For illustration and plain shell scripting on the command line, it's possible to compute the Authorization header using openssl. Here's how:

# Input:
# - The URL you want to query, e.g. https://analysiscenter.veracode.com/api/5.0/getapplist.do
# - The HTTP method, e.g. GET
# - Your API credentials VERACODE_ID and VERACODE_KEY which you can generate (and revoke) from the UI
#   Below values don't work any longer (that would be too easy, right?) and are included to allow tracing the HMAC operations.

VERACODE_ID=684a28d91070e4ce68b2131e43c2d79b
VERACODE_KEY=38611f3f651c90091e0cd5389e8a836fa591829505ea0acf4b8f141a4b0b1779ed016fd1819ddd07f2bee100bf7ffec9f2b29ff719f9e818f3e40865719474e3

NONCE="$(cat /dev/random | xxd -p | head -c 32)"
# NONCE=43a096639916c4f3925a44200cc2eeeb
TS="$(($(date +%s%N)/1000))"
# TS=1528471895699
URLPATH=/api/5.0/getapplist.do
METHOD=GET

encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
# encryptedNonce=fdadd4b99d0e80e2ff62c8462e649df50b7d8454bc44184385ad2d249eb0d3a2

encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
# encryptedTimestamp=cf2289384942ad95b591c15053dc2e91c16ec555722c4886329e697337240c98

signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
# signingKey=72163d368a280f9b5fc467baa1c181c391378e88b5bee0906569142d7d9d9e2f

DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
# VERACODE_AUTH_HEADER=VERACODE-HMAC-SHA-256 id=684a28d91070e4ce68b2131e43c2d79b,ts=1528471895699,nonce=43a096...3c72e2

curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH"

If things go right, output will be some XML (edited):

<?xml version="1.0" encoding="UTF-8"?>
<applist
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="https://analysiscenter.veracode.com/schema/2.0/applist"
    xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd"
    applist_version="1.2"
    account_id="11111">
    <app
        app_id="22222"
        app_name="Cyberdyne Systems"
        policy_updated_date="1997-08-29T02:14:00-04:00"/>
</applist>

Shell Notes

  • I'm on Windows here using Git Bash, YMMV with other shells.
  • The funny cut after each openssl call removes the (stdin)= junk that gets emitted on my system
$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World'
(stdin)= 8d1a4c29af178df51b9282eaf6b8898b800e9ec5

$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World' | cut -d ' ' -f 2
8d1a4c29af178df51b9282eaf6b8898b800e9ec5

(08Jun2018)

@ananta-code
Copy link

Veracode token generation issues
I am using java to generate the AUTHORIZATION token by using id and key for the below service.

• $veracodeApiUrl/getbuildlist.do

I am using https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/FwNDTkcEp1p3gnWJDUcqOA to generate the token.

but in this case ,i am only using api_key like the below code .

private static final String ACCESS_KEY_ID = "8780d6511ef516dee5a924861244***6";

private static final String SECRET_ACCESS_KEY = "d28d232a253cfee1b51c1ae18********8f5904109fd947ddb3efdc66aad933b9f0060283e16d507ba7ff883b550bb2b5a6440f8c2650d6ed3b5814226a0a640330";

private static final String URL_BASE = "analysiscenter.veracode.com";

private static final String URL_PATH = "/api/5.0/getbuildlist.do?app_id=***059";

private static final String GET = "GET";

final URL applicationsApiUrl = new URL("https://" + URL_BASE + URL_PATH );

/*

  • Now we use the url above and our example HMAC signer class to generate a Veracode HMAC header for later use.

*/

final String authorizationHeader = HmacRequestSigner.getVeracodeAuthorizationHeader(ACCESS_KEY_ID, SECRET_ACCESS_KEY, applicationsApiUrl, GET);

so the authorization token generated successfully but when i am trying to invoke the service by using this token through CURL,i am getting error.

curl -i -X http://proxy.rus.com: -X GET -H "Authorization: VERACODE-HMAC-SHA-256 id=8780d6511ef516dee5a92486877887,ts=1579002705228,nonce=a03d0828cdc79d3fae73f3677e0bc78a,sig=1b539242d509d4f722d1fd8fc703b31f2867d2a425e4000839dfd0f53454" https://analysiscenter.veracode.com/api/5.0/getbuildlist.do -F "app_id=****59"

% Total % Received % Xferd Average Speed Time Time Time Current

             Dload Upload  Total  Spent  Left Speed

0 0 0 0 0 0 0 0 --:--:-- 0:00:20 --:--:-- 0curl: (7) Failed to connect to analysiscenter.veracode.com port 443: Timed out

Please guide me if the token generation step is correct or not and the parameters i am passing is correct or not.

Regards,

@m9aertner
Copy link
Author

Hello, the error message "Failed to connect to analysiscenter.veracode.com port 443: Timed out" ist a strong indication that you're having network-level issues. Your packet filter, firewall or similar very likely does not allow to even connect to that server. Your dump suggests you use a proxy server, even? Can you avoid that? Are you sure Veracode accepts connections from that proxy server?

Without a connection, it does not matter what data you prepared for sending, or if the keys and/or the computations are indeed correct. Your data won't be sent at all without a connection.

I suggest you avoid the proxy server and focus on getting the SSL connection up and running. For low-level SSL, you may use "openssl" for testing, e.g. "openssl s_client -connect analysiscenter.veracode.com:443".

Regards, M.

@henryglendening-wwt
Copy link

henryglendening-wwt commented Aug 6, 2020

Thank you for sharing this! I'm able to use it successfully for a URL path like /api/5.0/getbuildlist.do?app_id=XXXX for instance, but I consistently receive errors for any endpoints that have multiple querystring parameters, such as /api/5.0/getbuildlist.do?app_id=XXXX&sandbox_id=XXXX. I'm fairly confident that it's due to the DATA variable already using ampersand characters to delimit key-value pairs, causing the additional querystring parameters to no longer be interpreted as part of the URLPATH.

How would one go about using this script to call an endpoint that contained multiple querystring parameters?

@m9aertner
Copy link
Author

I am not that involved with Veracode any longer and have no way of checking this currently, but it looks likely that the special characters & and maybe ? and = need to be encoded when passed into DATA?

So when one has parameters in URLPATH as in

URLPATH='/api/5.0/getbuildlist.do?app_id=XXXX&sandbox_id=XXXX'

then maybe use

ENC_URLPATH=/api/5.0/getbuildlist.do%3Fapp_id%3DXXXX%26sandbox_id%3DXXXX
DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$ENC_URLPATH&method=$METHOD"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment