Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This gist is deprecated. Please use the pre-request script found at https://github.com/veracode/veracode-postman.
var url = require('url');
const id = 'YOUR_VERACODE_API_KEY_ID';
const key = 'YOUR_VERACODE_API_KEY_SECRET';
const authorizationScheme = 'VERACODE-HMAC-SHA-256';
const requestVersion = "vcode_request_version_1";
const nonceSize = 16;
function computeHashHex(message, key_hex) {
return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex);
}
function calculateDataSignature(key, nonceBytes, dateStamp, data) {
let kNonce = computeHashHex(nonceBytes, key);
let kDate = computeHashHex(dateStamp, kNonce);
let kSig = computeHashHex(requestVersion, kDate);
let kFinal = computeHashHex(data, kSig);
return kFinal;
}
function newNonce() {
return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase();
}
function toHexBinary(input) {
return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input));
}
function calculateVeracodeAuthHeader(httpMethod, requestUrl) {
let parsedUrl = url.parse(requestUrl);
let data = `id=${id}&host=${parsedUrl.hostname}&url=${parsedUrl.path}&method=${httpMethod}`;
let dateStamp = Date.now().toString();
let nonceBytes = newNonce(nonceSize);
let dataSignature = calculateDataSignature(key, nonceBytes, dateStamp, data);
let authorizationParam = `id=${id},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`;
let header = authorizationScheme + " " + authorizationParam;
return header;
}
var {Property} = require('postman-collection');
const substitutedUrl = Property.replaceSubstitutions(request.url, pm.variables.toObject());
postman.setEnvironmentVariable('hmacAuthHeader', calculateVeracodeAuthHeader(request.method, substitutedUrl));
@tjarrettveracode
Copy link
Author

tjarrettveracode commented Oct 28, 2020

To use this script, you need to add an additional header called Authorization to your request and set its value to {{hmacAuthHeader}}. This will substitute in the environment variable that is created at the last step of this script, containing the HMAC authorization.

@tjarrettveracode
Copy link
Author

tjarrettveracode commented May 3, 2022

This gist is deprecated. Please use the pre-request script found at https://github.com/veracode/veracode-postman.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment