Skip to content

Instantly share code, notes, and snippets.

Last active August 23, 2023 21:17
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mrpinghe/f44479f2270ea36bf3b7cc958cc76cc0 to your computer and use it in GitHub Desktop.
Veracode custom HMAC request signing algorithm (used for API authorization)
var crypto = require('crypto');
const id = process.env.API_ID; // your API ID, reading from environment variable
const key = process.env.KEY; // your API key, reading from environment variable
const preFix = "VERACODE-HMAC-SHA-256";
const verStr = "vcode_request_version_1";
var resthost = ""; // rest host
var xmlhost = ""; // xml host
var hmac256 = (data, key, format) => {
var hash = crypto.createHmac('sha256', key).update(data);
// no format = Buffer / byte array
return hash.digest(format);
var getByteArray = (hex) => {
var bytes = [];
for(var i = 0; i < hex.length-1; i+=2){
bytes.push(parseInt(hex.substr(i, 2), 16));
// signed 8-bit integer array (byte array)
return Int8Array.from(bytes);
var getHost = (xml) => {
if (xml) {
return xmlhost;
return resthost;
var generateHeader = (url, method, xml) => {
var host = getHost(xml);
var data = `id=${id}&host=${host}&url=${url}&method=${method}`;
var timestamp = (new Date().getTime()).toString();
var nonce = crypto.randomBytes(16).toString("hex");
// calculate signature
var hashedNonce = hmac256(getByteArray(nonce), getByteArray(key));
var hashedTimestamp = hmac256(timestamp, hashedNonce);
var hashedVerStr = hmac256(verStr, hashedTimestamp);
var signature = hmac256(data, hashedVerStr, 'hex');
return `${preFix} id=${id},ts=${timestamp},nonce=${nonce},sig=${signature}`;
module.exports = {
Copy link

This still works as of yesterday.
A few things to check

  1. Is your ID and API key still valid?
  2. Did you generate a token for every request?
  3. Is your account authorized to call the API endpoint you are trying to access ?

If you are sure none of them is the issue, you probably need to post your code for me to help you

Copy link

Thank you for reaching back. It worked as is. Thank you!

Copy link

Ah glad to see it worked out!

Copy link

Hi @mrpinghe Im trying to use this and kinda confused on
"Then in command line

$ export API_ID=YOUR_API_ID_VALUE && export KEY=YOUR_KEY_VALUE && node test.js"

I cant seem to get it to work as i paste it in my terminal and get this error Uncaught SyntaxError: Unexpected token 'export'

$ export
$ export

What am I doing wrong?

Copy link

mrpinghe commented Mar 4, 2023

@falcond20 could you paste a screenshot of your terminal showing how you ran the command and the output, with your ID and Key values redacted?

Copy link

falcond20 commented Mar 5, 2023

Here is the screenshot @mrpinghe

Copy link

mrpinghe commented Mar 5, 2023

Ah PowerShell. You want to use Set-Variable to set those variables I believe (I'm not too familiar with PowerShell)

Copy link

FYI - For those interested in using the Web Crypto API (e.g. browser) instead of the Node.js Crypto module, (based on @mrpinghe work here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment