HMAC test strings and results problem

asantibanez
asantibanez Newcomer
in World-Check One

Hi, I am new to world-check api and trying to follow instructions first to generate the hmac signature. reading /documentation/schema-reference/security.html I found this example:

(request-target): post /v1/cases
host: rms-world-check-one-api.thomsonreuters.com
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
"caseId": "my customer ID",
"name": "John Doe",
"providerTypes": ["WATCHLIST"]
}

with secret "1234" must return DA26D7F5BFF89A100D1A597AA015099FC55DD3130F023E952BFBE3A6949F322A but I am NOT receiving the same result.

I am sending this full string as follows:

ls_message="(request-target): post /v1/cases"+char(10)+"host: rms-world-check-one-api.thomsonreuters.com"+char(10)
ls_message+="date: Tue, 07 Jun 2016 20:51:35 GMT"+char(10)
ls_message+="content-type: application/json"+char(10)+"content-length: 88"+char(10)+"{"+char(10)+" ~"caseId~": ~"mycustomerID~","+char(10)
ls_message+=" ~"name~": ~"John Doe~","+char(10)+" ~"providerTypes~": [~"WATCHLIST~"]"+char(10)+"}"

Can you check what is wrong with the string?

I have tested the HMAC function at https://www.freeformatter.com/hmac-generator.html#ad-output with other strings and results from the function are correct, but with smaller strings. I don't know how to test with \n end of lines there.

Regards

Tagged:

Best Answer

  • asantibanez
    asantibanez Newcomer
    Answer ✓

    Found the solution

    Include this header

    loo_xmlHTTP.setRequestHeader("Content-Type","application/json")

    And use current date time.

    Thanks for your help

Answers

  • brian.bourgault
    brian.bourgault LSEG

    Hi @asantibanez,

    Please take a look at my answer to this previous question, as I point out, the documentation is incorrect...

    Hope this helps,
    Brian

  • asantibanez
    asantibanez Newcomer

    Thanks, I used Postman to follow the process and some part is working, at least reaching de HMAC result, but cannot make encode64 work as the examples on SEQ-1a.

    I am obtaining from Postman and my software test the same result:

    var hash = CryptoJS.HmacSHA256(dataToSign,environment["api-secret"]);
    postman.setEnvironmentVariable("hash",hash)

    in my example is

    487c2b186b9dd6e29455dd1840a1bd57c3725159cad96948b528ba0beb9bbb92

    But not the rest of the function

    return hash.toString(CryptoJS.enc.Base64);

    I am receiving from my software and from

    https://www.freeformatter.com/base64-encoder.html#ad-output the same output

    NDg3YzJiMTg2YjlkZDZlMjk0NTVkZDE4NDBhMWJkNTdjMzcyNTE1OWNhZDk2OTQ4YjUyOGJhMGJlYjliYmI5Mg==

    But postman returns

    SHwrGGud1uKUVd0YQKG9V8NyUVnK2WlItSi6C+ubu5I=

    Any hint on what to look for

    Regards

    Alfredo

  • brian.bourgault
    brian.bourgault LSEG

    Hi @asantibanez,

    If the Postman code works without your edits (i.e. out-of-the-box), then it could be a number of items. I suggest you look at my example and follow those steps, you could be just one character off or note that the example uses the Production URL and not the Pilot URL, which means you will not get the same result using Postman with the Pilot URL.

    What environment are you developing in?

    Brian

  • asantibanez
    asantibanez Newcomer

    I am using

    rms-world-check-one-api-pilot.thomsonreuters.com on Postman, please remember that the hmac result is equal, where the URL is used, them trying to convert to base64 is the difference.

    let me copy the code I am using

    string hmac
    HMAC = in_capi.of_Hmac(ls_Algorithm, datatosign, apisecret )
    If IsNull( hmac) Then
    MessageBox(in_capi.LastFunction + " Failed", &
    in_capi.LastErrText, StopSign!)
    Return
    End If
    lblb_hmac64=blob(hmac,encodingansi!)
    hmac64=in_capi.of_blob_encode64(lblb_hmac64)

    //HERE IS THE PROBLEM, the string returned is different

    //If I use the same string and try to encoded to base 64 with the public service

    //https://www.freeformatter.com/base64-encoder.html#ad-output

    //I receive the same result as this función used above. But is different from postman.

    //I have not sent the GET


    string authorisation = "Signature keyId=~"" + apikey + "~",algorithm=~"hmac-sha256~",headers=~"(request-target) host date~","
    authorisation+="signature=~"" + hmac64 + "~""

  • brian.bourgault
    brian.bourgault LSEG

    Hi @asantibanez,

    Here is the corrected documentation to be updated in the next release...

    HTTP request example

    To illustrate all these requirements, given the following sample HTTP request:

    POST /v1/cases HTTP/1.1
Host: rms-world-check-one-api.thomsonreuters.com
Date: Tue, 07 Jun 2016 20:51:35 GMT
Content-Type: application/json
Content-Length: 88

{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}

    the signing text used as input to the HMAC function would be:

    (request-target): post /v1/cases
host: rms-world-check-one-api.thomsonreuters.com
date: Tue, 07 Jun 2016 20:51:35 GMT
content-type: application/json
content-length: 88
{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}

    This example assumes LF line endings (‘\n’/0x0A), and no trailing line ending after the closing bracket in the payload body.

    Given the above signing text, if a secret key of “1234” is used, the computed HMAC-SHA256 value would be224B73FC07571E60E8B8D9BAB8107C656D3171F346B96183C665FD4C5330B85D when printed using hex encoding, orIktz/AdXHmDouNm6uBB8ZW0xcfNGuWGDxmX9TFMwuF0= when printed using base64 encoding.

    The base64 representation is the value that will be included in the Authorization header. In this example, assuming an API key of 4321, the full HTTP request (with populated Authorization header) that will be sent to the API would then be:

    POST /v1/cases HTTP/1.1
Host: rms-world-check-one-api.thomsonreuters.com
Date: Tue, 07 Jun 2016 20:51:35 GMT
Content-Type: application/json
Content-Length: 88
Authorization: Signature keyId="4321",algorithm="hmac-sha256",
   headers="(request-target) host date content-type content-length",
   signature="Iktz/AdXHmDouNm6uBB8ZW0xcfNGuWGDxmX9TFMwuF0="

{
  "caseId": "my customer ID",
  "name": "John Doe",
  "providerTypes": ["WATCHLIST"]
}
  • asantibanez
    asantibanez Newcomer

    Hi, the base64 problem is solved. I found a link mentioning returns from hmac can be in HEx format, so calculation of base64 must take note of it. Now I have the same base64 result and I can continue with the test.

    new problem, unathorized, same endpoint, same headers for date and autorization

    My software and postman have the same values for:

    datatosign is

    (request-target): get /v1/groups
    host: rms-world-check-one-api-pilot.thomsonreuters.com
    date: Tue, 11 Apr 2017 13:51:28 GMT

    autorisation is

    Signature keyId="6f23c447-b6d8-4291-acda-a5f7e8fb48c3",algorithm="hmac-sha256",headers="(request-target) host date",signature="pBFw2eDXR2Npi18jImj+o9Mn/leo/OsDn8MXlh0VlSA="

    dates is

    Tue, 11 Apr 2017 13:51:28 GMT

    endpoint is

    https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups

    Call is this way

    OleObject loo_xmlhttp
    long ll_status_code
    loo_xmlhttp = CREATE oleobject
    loo_xmlhttp.ConnectToNewObject("Msxml2.XMLHTTP.6.0")
    loo_xmlhttp.open ("GET", requestendpoint, false)
    loo_xmlHTTP.setRequestHeader("Authorization",authorisation)
    loo_xmlHTTP.setRequestHeader("Date",dates)
    loo_xmlhttp.send()
    ls_status_text = loo_xmlhttp.StatusText
    ll_status_code = loo_xmlhttp.Status

    I have debugged and checked every variable.

    Any hint? some other header missing?

    Is there a way that Thomson Reuters can debug my session or verify if something is been sent incorrectly.

    Regards

    Alfredo

Categories