Using curl and openssl to access the Veracode API endpoint

veracode-api-access-curl.markdown

Using curl and openssl to access the Veracode API endpoint

You can make requests to the Veracode service by sending an HMAC signature in the HTTP authorization header.

The mechanism is discussed on "Understanding API Access" https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/H0S3580tt9sPFz3IgSMvnA with a Java program as illustration. For an API wrapper in GO, see https://github.com/brian1917/vcodeHMAC.

For illustration and plain shell scripting on the command line, it's possible to compute the Authorization header using openssl. Here's how:

# Input:
# - The URL you want to query, e.g. https://analysiscenter.veracode.com/api/5.0/getapplist.do
# - The HTTP method, e.g. GET
# - Your API credentials VERACODE_ID and VERACODE_KEY which you can generate (and revoke) from the UI
#   Below values don't work any longer (that would be too easy, right?) and are included to allow tracing the HMAC operations.

VERACODE_ID=684a28d91070e4ce68b2131e43c2d79b
VERACODE_KEY=38611f3f651c90091e0cd5389e8a836fa591829505ea0acf4b8f141a4b0b1779ed016fd1819ddd07f2bee100bf7ffec9f2b29ff719f9e818f3e40865719474e3

NONCE="$(cat /dev/random | xxd -p | head -c 32)"
# NONCE=43a096639916c4f3925a44200cc2eeeb
TS="$(($(date +%s%N)/1000))"
# TS=1528471895699
URLPATH=/api/5.0/getapplist.do
METHOD=GET

encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
# encryptedNonce=fdadd4b99d0e80e2ff62c8462e649df50b7d8454bc44184385ad2d249eb0d3a2

encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
# encryptedTimestamp=cf2289384942ad95b591c15053dc2e91c16ec555722c4886329e697337240c98

signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
# signingKey=72163d368a280f9b5fc467baa1c181c391378e88b5bee0906569142d7d9d9e2f

DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
# VERACODE_AUTH_HEADER=VERACODE-HMAC-SHA-256 id=684a28d91070e4ce68b2131e43c2d79b,ts=1528471895699,nonce=43a096...3c72e2

curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH"

If things go right, output will be some XML (edited):

<?xml version="1.0" encoding="UTF-8"?>
<applist
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="https://analysiscenter.veracode.com/schema/2.0/applist"
    xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd"
    applist_version="1.2"
    account_id="11111">
    <app
        app_id="22222"
        app_name="Cyberdyne Systems"
        policy_updated_date="1997-08-29T02:14:00-04:00"/>
</applist>

Shell Notes

• I'm on Windows here using Git Bash, YMMV with other shells.
• The funny cut after each openssl call removes the (stdin)= junk that gets emitted on my system

$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World'
(stdin)= 8d1a4c29af178df51b9282eaf6b8898b800e9ec5

$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World' | cut -d ' ' -f 2
8d1a4c29af178df51b9282eaf6b8898b800e9ec5

(08Jun2018)

Hello, the error message "Failed to connect to analysiscenter.veracode.com port 443: Timed out" ist a strong indication that you're having network-level issues. Your packet filter, firewall or similar very likely does not allow to even connect to that server. Your dump suggests you use a proxy server, even? Can you avoid that? Are you sure Veracode accepts connections from that proxy server?

Without a connection, it does not matter what data you prepared for sending, or if the keys and/or the computations are indeed correct. Your data won't be sent at all without a connection.

I suggest you avoid the proxy server and focus on getting the SSL connection up and running. For low-level SSL, you may use "openssl" for testing, e.g. "openssl s_client -connect analysiscenter.veracode.com:443".

Regards, M.

Thank you for sharing this! I'm able to use it successfully for a URL path like /api/5.0/getbuildlist.do?app_id=XXXX for instance, but I consistently receive errors for any endpoints that have multiple querystring parameters, such as /api/5.0/getbuildlist.do?app_id=XXXX&sandbox_id=XXXX. I'm fairly confident that it's due to the DATA variable already using ampersand characters to delimit key-value pairs, causing the additional querystring parameters to no longer be interpreted as part of the URLPATH.

How would one go about using this script to call an endpoint that contained multiple querystring parameters?

I am not that involved with Veracode any longer and have no way of checking this currently, but it looks likely that the special characters & and maybe ? and = need to be encoded when passed into DATA?

So when one has parameters in URLPATH as in

URLPATH='/api/5.0/getbuildlist.do?app_id=XXXX&sandbox_id=XXXX'

then maybe use

ENC_URLPATH=/api/5.0/getbuildlist.do%3Fapp_id%3DXXXX%26sandbox_id%3DXXXX
DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$ENC_URLPATH&method=$METHOD"