You can make requests to the Veracode service by sending an HMAC signature in the HTTP authorization header.
The mechanism is discussed on "Understanding API Access" https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/H0S3580tt9sPFz3IgSMvnA with a Java program as illustration. For an API wrapper in GO, see https://github.com/brian1917/vcodeHMAC.
For illustration and plain shell scripting on the command line, it's possible to compute the Authorization header using openssl. Here's how:
# Input:
# - The URL you want to query, e.g. https://analysiscenter.veracode.com/api/5.0/getapplist.do
# - The HTTP method, e.g. GET
# - Your API credentials VERACODE_ID and VERACODE_KEY which you can generate (and revoke) from the UI
# Below values don't work any longer (that would be too easy, right?) and are included to allow tracing the HMAC operations.
VERACODE_ID=684a28d91070e4ce68b2131e43c2d79b
VERACODE_KEY=38611f3f651c90091e0cd5389e8a836fa591829505ea0acf4b8f141a4b0b1779ed016fd1819ddd07f2bee100bf7ffec9f2b29ff719f9e818f3e40865719474e3
NONCE="$(cat /dev/random | xxd -p | head -c 32)"
# NONCE=43a096639916c4f3925a44200cc2eeeb
TS="$(($(date +%s%N)/1000))"
# TS=1528471895699
URLPATH=/api/5.0/getapplist.do
METHOD=GET
encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
# encryptedNonce=fdadd4b99d0e80e2ff62c8462e649df50b7d8454bc44184385ad2d249eb0d3a2
encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
# encryptedTimestamp=cf2289384942ad95b591c15053dc2e91c16ec555722c4886329e697337240c98
signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
# signingKey=72163d368a280f9b5fc467baa1c181c391378e88b5bee0906569142d7d9d9e2f
DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
# VERACODE_AUTH_HEADER=VERACODE-HMAC-SHA-256 id=684a28d91070e4ce68b2131e43c2d79b,ts=1528471895699,nonce=43a096...3c72e2
curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH"
If things go right, output will be some XML (edited):
<?xml version="1.0" encoding="UTF-8"?>
<applist
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://analysiscenter.veracode.com/schema/2.0/applist"
xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd"
applist_version="1.2"
account_id="11111">
<app
app_id="22222"
app_name="Cyberdyne Systems"
policy_updated_date="1997-08-29T02:14:00-04:00"/>
</applist>
- I'm on Windows here using Git Bash, YMMV with other shells.
- The funny
cut
after each openssl call removes the(stdin)=
junk that gets emitted on my system
$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World'
(stdin)= 8d1a4c29af178df51b9282eaf6b8898b800e9ec5
$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World' | cut -d ' ' -f 2
8d1a4c29af178df51b9282eaf6b8898b800e9ec5
(08Jun2018)
Veracode token generation issues
I am using java to generate the AUTHORIZATION token by using id and key for the below service.
• $veracodeApiUrl/getbuildlist.do
I am using https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/FwNDTkcEp1p3gnWJDUcqOA to generate the token.
but in this case ,i am only using api_key like the below code .
private static final String ACCESS_KEY_ID = "8780d6511ef516dee5a924861244***6";
private static final String SECRET_ACCESS_KEY = "d28d232a253cfee1b51c1ae18********8f5904109fd947ddb3efdc66aad933b9f0060283e16d507ba7ff883b550bb2b5a6440f8c2650d6ed3b5814226a0a640330";
private static final String URL_BASE = "analysiscenter.veracode.com";
private static final String URL_PATH = "/api/5.0/getbuildlist.do?app_id=***059";
private static final String GET = "GET";
final URL applicationsApiUrl = new URL("https://" + URL_BASE + URL_PATH );
/*
*/
final String authorizationHeader = HmacRequestSigner.getVeracodeAuthorizationHeader(ACCESS_KEY_ID, SECRET_ACCESS_KEY, applicationsApiUrl, GET);
so the authorization token generated successfully but when i am trying to invoke the service by using this token through CURL,i am getting error.
curl -i -X http://proxy.rus.com: -X GET -H "Authorization: VERACODE-HMAC-SHA-256 id=8780d6511ef516dee5a92486877887,ts=1579002705228,nonce=a03d0828cdc79d3fae73f3677e0bc78a,sig=1b539242d509d4f722d1fd8fc703b31f2867d2a425e4000839dfd0f53454" https://analysiscenter.veracode.com/api/5.0/getbuildlist.do -F "app_id=****59"
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- 0:00:20 --:--:-- 0curl: (7) Failed to connect to analysiscenter.veracode.com port 443: Timed out
Please guide me if the token generation step is correct or not and the parameters i am passing is correct or not.
Regards,