I had found these steps for use with a different API. They do not appear to work.
My understanding of nonce is that it is just a random hash you use once. so the creation method should matter little.
I think my issue is with my cURL formatting.
session:
# echo -n "/0" > tmp.bin
# echo -n "123nonce=123" | openssl sha256 -binary >> tmp.bin
# cat tmp.bin | openssl sha512 -binary -hmac $(echo -n "mmyykkeeyy" | base64 -d) | base64 -w long_hash
# curl -X GET -H "Accept: application/json" -H "long_hash" -d "nonce=123" "https://bittrex.com/Api/v2.0/key/market/GetOrderHistory?market=BTC-TRX&apikey=mmyyykkeeyy"
return data:
{"success":false,"message":"NONCE_NOT_PROVIDED","result":null}
also tried:
echo -n "/0/key" > tmp.bin
and I also tried creating nonce without the tmp.bin, outputing it to the buffer and using it raw. same nonce error.
adding
-H "Content-Type: application/json"
yields a server 500 error.
known working api v2.0 library, only python and does not suit my needs v2.0 python library
How do I correctly deliver the nonce to the bittrex api using cURL?
UPDATE:
I changed the url in the Bittrex python library to webserver not running https and captured the dead outbound packet in the raw (non encapsulated). Now I can at least see what the know good python library is throwing
GET packet from known good Python library request in wireshark
$ echo -n "/0" > tmp.bin
$ echo -n "123nonce=123" | openssl sha256 -hex
(stdin)= 353f9df92ab1d5e5afe06bb7d1bb42a8ef6654b633d94818007aeafbaf03ca3d
$ echo 353f9df92ab1d5e5afe06bb7d1bb42a8ef6654b633d94818007aeafbaf03ca3d| openssl sha512 -binary -hmac $(echo -n "mmyykkeeyy" | base64 -d) | base64 -w 0
biglonghash
$ curl -X GET -H "Accept: application/json" -H "biglonghash" "https://bittrex.com/Api/v2.0/key/market/GetOrderHistory?apikey=mmyykkeeyy&nonce=353f9df92ab1d5e5afe06bb7d1bb42a8ef6654b633d94818007aeafbaf03ca3d&market=BTC-TRX"
response:
{"success":false,"message":"APISIGN_NOT_PROVIDED","result":null}
update2:
$ echo -n "/key" > tmp.bin
$ echo -n "123nonce=123" | openssl sha256 -binary >> tmp.bin
$ cat tmp.bin | openssl sha512 -binary -hmac $(echo -n "mmyysseeccrreett" | base64 -d) | base64 -w 0
output:
biglonghash
session:
$ curl --get -H "Accept: application/json" -H "apisign:biglonghash" "https://bittrex.com/Api/v2.0/key/market/GetOrderHistory?apikey=mmyyaappiikkeeyy&nonce=353f9df92ab1d5e5afe06bb7d1bb42a8ef6654b633d94818007aeafbaf03ca3d&market=BTC-TRX"
{"success":false,"message":"INVALID_SIGNATURE","result":null}
Related
I'm trying to write small linux utility for development purposes that works with JWT signatures.
Problem: linux secret and secret from jwt.io website are different.
I'm using default data from https://jwt.io/#debugger-io and HS256.
Example:
# hmac256
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | hmac256 secret
> 4c9540f793ab33b13670169bdf444c1eb1c37047f18e861981e14e34587b1e04
# openssl
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | openssl dgst -sha256 -hmac secret
> (stdin)= 4c9540f793ab33b13670169bdf444c1eb1c37047f18e861981e14e34587b1e04
# Key from website
# TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Found answer, result of hash utilities should be in binary format and also in base64 encoding.
So working commands are:
echo -n "{header}.{payload}" | hmac256 --binary secret | base64
echo -n "{header}.{payload}" | openssl dgst -sha256 -binary -hmac secret | base64
Example:
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | hmac256 --binary secret | base64
> TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ=
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | openssl dgst -sha256 -binary -hmac secret | base64
> TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ=
I am working on a script that creates ssh keys and puts them into github using bash. I am running into this error when running this function.. I want a way to generate ssh keys and put them into github from terminal within my script.
sudo ssh-keygen -t rsa
KEY=$(sudo cat ~/.ssh/id_rsa.pub)
echo "Here is your KEY var: ${KEY}"
read -p "GitHub Username: " USERNAME
read -p "Please enter a title for you ssh key: " TITLE
curl --user "\"${USERNAME}"\" -X POST --data '{ "\"title"\": "\"$TITLE"\", "\"key"\": "\"$KEY"\" }' https://api.github.com/user/keys
Error: {
"message": "Bad credentials",
"documentation_url": "https://developer.github.com/v3"
}
You are putting too many quotes in the command. The correct code (to a first approximation) would be
curl --user "${USERNAME}" -X POST \
--data "{ \"title\": \"$TITLE\", \"key\": \"$KEY\" }" \
https://api.github.com/user/keys
However this is prone to failure if either TITLE or KEY contains a character that needs to be escaped to include in JSON. The right way to do this is to generate the JSON with a tool like jq, which takes care of any necessary escaping.
curl --user "${USERNAME}" -X POST \
--data "$(jq -n --arg t "$TITLE" --arg k "$KEY" \
'{title: $t, key: $k}')" \
https://api.github.com/user/keys
or
jq -n --arg t "$TITLE" --arg k "$KEY" '{title: $t, key: $k}' |
curl --user "$USERNAME" -X POST --data #- https://api.github.com/user/keys
I am doing this curl command successfully in bash console to retrieve data from a rest resource :
curl -H "Accept: application/json" -H "Content-Type: application/json" -H "X-content: test_content" -H "X-Public: public_key" -H "X-Hash: $(printf "testcompany1" | openssl sha256 -hmac "secret_key" | sed "s/^.* //" | tr -d "\n")" -X GET http://192.168.100.20/rest/v01/customer/csv > /home/user/customer.csv
What I want to do is to use this in a windows cmd shell. Cygwin and curl is installed. So I have tracked it down to this puzzling me, the hmac hashing, done as a nested command in my script using $(command) :
$(printf "testcompany1" | openssl sha256 -hmac "secret_key" | sed "s/^.* //" | tr -d "\n")
How do I get a windows shell cmd recognize this ? Or is there another smarter approach in windows to get rest data with hmac auth ?
I split the bash oneliner up i chunks in a batch file like this :
echo off
set content=content
set secret=secret_key
printf %content% | openssl sha256 -hmac %secret% | sed "s/^.* //" | tr -d "\n" > hash.txt
set /p hash=< hash.txt
curl -H "Accept: application/json" -H "Content-Type: application/json" -H "X-content: %content%" -H "X-Public: public_key -H "X-Hash: %hash%" -X GET http://192.168.100.20/rest/v01/customer/csv > out.csv
The printf command was very picky regarding generating the correct hash value, so I send it to a file first, and back again.
I have a curl command which I want to execute from inside a shell script.
My script is as below:
iddn="`jq -r '.APPID_DN' /scr/resp.json`"
appid = `echo "$iddn" | awk -F',' '{print $1}'`
id =`echo $appid | awk '{print substr($0,4)}'`
apppwd = `jq -r '.APPID_PWD' /scr/resp.json`
tnname = `jq '.tnName' /scr/resp.json`
curl -i --user "$id":"$apppwd" -H "Content-Type: application/xml" -H "Accept: application/xml" -H "X-USER-IDENTITY-DOMAIN-NAME: tn11" --request GET "http://hostname.XX.XXXX.com:port/XXX/services/rest/version/auth/administrator/Clients"
But I am getting below error
HTTP/1.1 401 Unauthorized
Not authorized. Provide Authorization Header.
I tried by echoing the command to see how the curl command is forming,I am getting it as(userid and passwd not passed at all),
curl -i --user -H "Content-Type: application/xml" -H "Accept: application/xml" -H "X-USER-IDENTITY-DOMAIN-NAME: tn11" --request GET "http://hostname.XX.XXXX.com:port/XXX/services/rest/version/auth/administrator/Clients"
But if i am running the same command directly from command line,its running fine.Please help on this.
Regards,
Shilpi
id =`echo $appid | awk '{print substr($0,4)}'`
apppwd = `jq -r '.APPID_PWD' /scr/resp.json`
You must not put spaces around = in a shell variable assignment.
Ho to insert cookies value in curl? from firebug request headers I can see in the following
Cookie: PHPSESSID=gg792c2ktu6sch6n8q0udd94o0; was=1; uncheck2=1; uncheck3=1; uncheck4=1; uncheck5=0; hd=1; uncheck1=1"
I have tried the following:
curl http://site.com/ -s -L -b cookie.c -c cookie.c -d "was=1; uncheck2=1; uncheck3=1; uncheck4=1; uncheck5=0; hd=1; uncheck1=1" > comic
and the only thing i see in cookie.c is
PHPSESSID=gg792c2ktu6sch6n8q0udd94o0; was=1;
To pass keys/values to cURL cookie, you need the -b switch, not -d.
For the forms -d, the data will be separated by & and not by ; in your curl command.
So :
curl http://site.com/ \
-s \
-L \
-b cookie.c \
-c cookie.c \
-b "was=1; uncheck2=1; uncheck3=1; uncheck4=1; uncheck5=0; hd=1; uncheck1=1"
> comic
If you need to know the names of the forms to be POSTed, you can run the following command :
mech-dump --forms http://site.com/
It comes with libwww-mechanize-perl package with debian or derivated.