Veracode custom HMAC request signing algorithm (used for API authorization)

auth.js

var crypto = require('crypto');

const id = process.env.API_ID; // your API ID, reading from environment variable
const key = process.env.KEY; // your API key, reading from environment variable

const preFix = "VERACODE-HMAC-SHA-256";
const verStr = "vcode_request_version_1";

var host = "api.veracode.com";

var hmac256 = (data, key, format) => {
	var hash = crypto.createHmac('sha256', key).update(data);
	// no format = Buffer / byte array
	return hash.digest(format);
}

var getByteArray = (hex) => {
	var bytes = [];

	for(var i = 0; i < hex.length-1; i+=2){
	    bytes.push(parseInt(hex.substr(i, 2), 16));
	}

	// signed 8-bit integer array (byte array)
	return Int8Array.from(bytes);
}

var getHost = () => {
	return host;
}

var generateHeader = (url, method) => {

	var data = `id=${id}&host=${host}&url=${url}&method=${method}`;
	var timestamp = (new Date().getTime()).toString();
	var nonce = crypto.randomBytes(16).toString("hex");

	// calculate signature
	var hashedNonce = hmac256(getByteArray(nonce), getByteArray(key));
	var hashedTimestamp = hmac256(timestamp, hashedNonce);
	var hashedVerStr = hmac256(verStr, hashedTimestamp);
	var signature = hmac256(data, hashedVerStr, 'hex');

	return `${preFix} id=${id},ts=${timestamp},nonce=${nonce},sig=${signature}`;
}

module.exports = {
	getHost,
	generateHeader
}

sample usage

const auth = require("./auth");

var url = `/appsec/v1/applications?some_param=value`;

var token = auth.generateHeader(url, "GET");

// now add that token to "Authorization" header in your API request

Does this script need any changes? I get "message":"Request failed with status code 401","name":"Error","stack":"Error: Request failed with status code 401\n". Need some help

This still works as of yesterday.
A few things to check

1. Is your ID and API key still valid?
2. Did you generate a token for every request?
3. Is your account authorized to call the API endpoint you are trying to access ?

If you are sure none of them is the issue, you probably need to post your code for me to help you

Thank you for reaching back. It worked as is. Thank you!

Ah glad to see it worked out!

Probably good time to put a better sample usage

const https = require("https");
const auth = require("./auth");

var options = {
    host: auth.getHost(),
    path: "/appsec/v1/applications?size=100&page=0",
    method: "GET"
}

options.headers = {
    "Authorization": auth.generateHeader(options.path, options.method)
}

var req = https.request(options, (resp) => {
    var body = "";

    resp.on("data", (chunk) => {
        body += chunk;
    });

    resp.on("end", () => {
        console.log(body);
    });
})


req.on("error", (err) => {
    console.error(err);
});

req.end();