1

I am using ApiAuth gem (as found here) to sign my request. I am also writing my own JavaScript code using CryptoJS (as found here) to provide authentication by checking the encrypted header generated by ApiAuth against the one generated by my code.

Given below is a code snippet from ApiAuth Gem:

def hmac_signature(headers, secret_key, options)
  if options[:with_http_method]
    canonical_string = headers.canonical_string_with_http_method(options[:override_http_method])
  else
    canonical_string = headers.canonical_string
  end
  digest = OpenSSL::Digest.new('sha1')
  b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
end

Here is the code I have written as an equivalent in JavaScript:

function hmacSignature(request, appSecret) {
 return CryptoJS.HmacSHA1(canonicalString(request), appSecret).toString(CryptoJS.enc.Base64);}

These two don't generate the same encrypted header. I tried using jsSHA to do the same thing and while the encrypted header generated by jsSHA and CryptoJS is the same, they don't match the one generated by ApiAuth.

Kindly help me figure out how to make this work.

EDIT:

Taking Canonical String as "message" and appSecret as "secret" I get the same values from ApiAuth and CryptoJS which is:

DK9kn+7klT2Hv5A6wRdsReAo3xY=

I've figured out that the problem in my original code is coming because the timestamp set in my JS code and the one set in the ApiAuth don't match.

NiroshaDogra
  • 21
  • 5
  • Two points: you probably have a typo in `CryptoJS.HmacSHA` - mine CryptoJS does not know this method and requires to specify the particular algorithm, e.g. `CryptoJS.HmacSHA1`. And, if this *was* a typo, can you provide a working sample for both version given some test input and show the resulting digests, so that we can test and compare against something? Thanks. – Matouš Borák May 02 '16 at 15:07
  • Hi. Yes. It's supposed to be SHA1. I'll fix the typo. As far as an example is concerned, you can use "message" and "secret" as the inputs to replace canonical string and appSecret. If I do that, I get different encrypted values for both. They aren't the same. – NiroshaDogra May 02 '16 at 15:25

1 Answers1

0

I fixed my problem and am writing this answer in hopes that it helps someone else looking for a solution to this problem.

  1. Let me start off by saying that the two encryptions should be the same whether they are encrypted in Ruby or JS or any other language.
  2. It is important to check that every portion of the input sent to both places is exactly the same and completely identical.

When I checked my inputs to the JS file and the gem, I realised that for some reason the time-stamp (which I was setting in the JS file) wasn't getting sent correctly to the gem.

I debugged my code step by step and figured out where the mistake was. I am outlining some of the possible issues below:

  1. I was setting the timestamp in my JS as follow

    request.headers["DATE"]

I realised that this wasn't getting set correctly so I had to change "DATE" to "DATE1" and accordingly change the rest of my code. This worked.

  1. Second, the timestamp I was sending wasn't compatible with the HTTP GST type timestamp that was expected by the gem. This is another thing that you must keep in mind when sending the timestamp.
NiroshaDogra
  • 21
  • 5