How to generate signature by cURL alone without Postman

Question

question

naoto.tatemichi

83 ●2 ●8 ●7

How to generate signature by cURL alone without Postman

I'm trying to access WC1 API via cURL command.
When I use Postman, it responds 200 properly, and using that signature cURL properly responds.
However I'm stuck on generating signature by cURL alone.
Can I get a cURL command sample to generate signature (and timestamp) using my secret access key?

Here's what I tired (using signature generated by Postman) - it works only for 1 minute.

$ curl -X GET \
  https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups \
　-H 'Authorization: Signature keyId="f63fc14f-981f-4bba-95e0-eb65800e8126",algorithm="hmac-sha256",headers="(request-target) host date",signature="xtijpe/hMeEP<removed>=="' \
  -H 'Date: Sun, 04 Aug 2019 07:53:21 GMT' \

world-check world-check-one

Aug 05, 2019 at 02:15 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2019-08-08T05:52:13Z

naoto.tatemichi

83 ●2 ●8 ●7

Thanks @Irfan.Khan
Now I made it in PHP which works fine.

$secret_file = '/var/www/api_secret.txt';


$api_key = "YOUR_API_KEY";
$secret = file_get_contents($secret_file);
$gateway_url = "/v1/";
$gateway_host = "rms-world-check-one-api-pilot.thomsonreuters.com";
$time_gmt = gmdate("D, d M Y h:i:s") . " GMT";


$dataToSign = "(request-target): get " . $gateway_url . "groups\n" . "host: " . $gateway_host . "\n" . "date: " . $time_gmt;


$hmac = base64_encode(hash_hmac('sha256', $dataToSign, $secret, true));


$authorisation = "Signature keyId=\"" . $api_key . "\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date\",signature=\"" . $hmac . "\"";



echo $authorisation;

Aug 08, 2019 at 05:52 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Irfan.Khan Aug 14, 2019 at 12:23 AM

@naoto.tatemichi Request you to post the curl command that you used to send the request so that it can help our other developer community members.

Answer 2 · 2019-08-05T06:10:12Z

Prabhjyot

4.5k ●4 ●8 ●8

@naoto.tatemichi,

Thank you for your query.

Can you please share the request headers along with the response headers of the failed API call to investigate on the cause of the Error 401.

Aug 05, 2019 at 06:10 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

naoto.tatemichi Aug 05, 2019 at 09:51 AM

Thanks @Prabhjyot.Mandla
All those headers are following "-H" in the command.
But now I found either PHP or bash would be easier.

Answer 3 · 2019-08-05T08:40:34Z

Irfan.Khan

4.2k ●8 ●5 ●6

@naoto.tatemichi

It would be easier if you write a script file like PHP to generate date and HMAC signature and then use curl library in the script to send your HTTP request.

Aug 05, 2019 at 08:40 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

naoto.tatemichi Aug 05, 2019 at 09:48 AM

Hi @Irfan.Khan
Now I generated the signature by bash:

$ echo -n f63fc14f-981f-4bba-95e0-eb65800e8126 | openssl dgst -sha256 -hmac <secret_key>
(stdin)= 7d4338cfd54768<removed>

Also tried using the signature above to get 401 error. I think I may have failed to calculate signature by date and time.
May I know what's wrong?

$ curl -X GET https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/groups -H 'Accept: */*' -H 'Authorization: Signature keyId="f63fc14f-981f-4bba-95e0-eb65800e8126",algorithm="hmac-sha256",headers="(request-target) host date",signature="7d4338cfd54768<removed>"' -I

HTTP/1.1 401 Unauthorized X-Application-Context: application Authorization: WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length Transfer-Encoding: chunked Date: Mon, 05 Aug 2019 13:29:56 GMT Server: ""

Irfan.Khan naoto.tatemichi Aug 05, 2019 at 09:56 AM

@naoto.tatemichi

Can you compare the HMAC that you are generating from bash and the HMAC that you generate using the Postman. Obviously the date in Postman should be the same as you have used in Bash. You can edit the pre request script in Postman, specically the "date" variable to the date you have used in bash command.

Also, when you are generating HMAC using bash, you have to make sure you are blending the API secret with the dataTOSign variable. Are you doing this step?

Answer 4 · 2019-08-05T10:03:51Z

Irfan.Khan

4.2k ●8 ●5 ●6

@naoto.tatemichi

I see you are using the below command-

<code>echo -n "value"| openssl dgst -sha1 -hmac "key"

Here "value" should be data to sign variable. This is available in the pre request script too.

In pre request of Postman, the dateToSign variable is written in JS.

var dataToSign = "(request-target): get " + environment["gateway-url"] + "groups\n" +
"host: " + environment["gateway-host"] + "\n" +
"date: " + date;

You have to write something that can produces exactly the same format.

Key should be your API secret.

Aug 05, 2019 at 10:03 AM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Irfan.Khan Aug 07, 2019 at 05:27 AM

@naoto.tatemichi Following up to see if you were able to resolve the problem.

If yes, kindly share with us so that it helps the community.

Q&A Forum

question

How to generate signature by cURL alone without Postman

4 Answers

Write an Answer

question

How to generate signature by cURL alone without Postman

4 Answers

Write an Answer

Related Questions