I am using this code to write a bottrader,in python3 (converted 2to3)
https://pastebin.com/fbkheaRb
except that i have change secret string and post_data string to byte
sign = hmac.new(self.Secret.encode("ASCII"), post_data.encode("ASCII"), hashlib.sha512).hexdigest()
but getting below error
urllib.error.HTTPError: HTTP Error 403: Forbidden
have checked key and secret key multiple time and it is correct
Also deleted the existing key and created new
Also relaxed all IP
then also got the same problem, please help
You don't need to encode to ASCII, so you may try:
sign = hmac.new(self.Secret, post_data, hashlib.sha512).hexdigest()
Related
We're verifying a Google ID Token on ColdFusion servers. We have everything working but one thing puzzles me:
In the instructions here Google says to use their public keys to verify the token. When we retrieve the keys, in the JSON object there are 2 of them. Whether we grab the PEM or the JWT there are 2 keys.
Example JWT:
Example PEM:
How do we know which key to use? Through testing we find that one works and we're able to decode the JWT to validate while the other doesn't. Right now we're having to try both of them to see which one works. Is there something we're missing that indicates which of these keys is the one to use?
The keys are identified by the key Id "kid":
The "kid" (key ID) parameter is used to match a specific key.
In case of the JWK, you see the kid value in the JSON and you can see the same kid values in the first column of the PEM example. Your token has a "kid" claim in the header part. Decode the header to extract the kid.
e.g.:
{
"typ":"JWT",
"alg":"RS256",
"kid":"3dd6ca2a81dc2fea8c3642431e7e296d2d75b446"
}
I am using Azure key vault for creating and storing my Secp256k1 keys. I am also using the sign API for getting my input string signed. I am working on a Secp256K1 blockchain network.These are steps I follow to get the signature in Golang.
Converting my Hex string into Byte[]
Sha256 of this Byte[]
RawURL encoding of this Sha.
b64.RawURLEncoding.EncodeToString(sha)
Sending this to Key vault for signature.
Decoding the response using RawURLEncoding.
b64.RawURLEncoding.DecodeString(*keyOpsResp.Result)
Doing Hex of the []Byte array returned from 5th Step.
Sending the signature to the blockchain.
The problem I am facing is that signature is invalid sometimes. As in 2/5 times it works and other times signature verification fails.
I am thinking there is some special chars or padding thing that I am missing.
How can I resolve this?
PS: Azure uses non-deterministic signatures where as chains usually use deterministic signs. I did some reading and found out that for verification it does not matter both could be verified successfully. Let me know if I am wrong.
• Since you are using base64 encode RawURL for encoding purposes, you can check whether the following parts are included in the token request for the keyvault signature validation. They are as follows: -
aud (audience): The resource of the token. Notice that this is https://vault.azure.net. This token will NOT work for any resource that does not explicitly match this value, such as graph.
iat (issued at): The number of ticks since the start of the epoch when the token was issued.
nbf (not before): The number of ticks since the start of the epoch when this token becomes valid.
exp (expiration): The number of ticks since the start of the epoch when this token expires.
appid (application ID): The GUID for the application ID making this request.
tid (tenant ID): The GUID for the tenant ID of the principal making this request. It is important that all the values be properly identified in the token for the request to work
• Also, please check the size of the block that is dependent on the target key and the algorithm to be used for validation of signature. In that, please check the ‘decryptParameters’, ‘algorithm’ and ‘ciphertext’ parameter for the returns that are displayed after the decrypt operation during signature validation.
Please find the below links for more details: -
https://learn.microsoft.com/en-us/java/api/com.azure.security.keyvault.keys.cryptography.cryptographyasyncclient.decrypt?view=azure-java-stable
I am getting my objects by calling
https://<bucket>.storage.googleapis.com/?prefix=folder%2F<object name>%2F&delimiter=/&max-keys=1000
I have tried with other special characters like !, #, #, $, ^, &, *, (, ), etc.
For the other special characters I just encode them in the , and I get the response just fine.
For example, with object "!#" under folder, the url is:
https://<bucket>.storage.googleapis.com/?prefix=folder%2F%21%22%2F&delimiter=/&max-keys=1000
However, when I try with object names with "%" and encode the percent sign to "%25", I get the following error:
<?xml version='1.0' encoding='UTF-8'?><Error><Code>InvalidSecurity</Code> <Message>The provided security credentials are not valid.</Message><Details>Request was not signed or contained a malformed signature</Details></Error>
What could be causing this issue ?
Edit
So I have tried double encoding the percent sign such that '%' character becomes "%2525" in the request. However, in the response, the prefix is strangely "%25". After testing with more cases, it turns out a request is successful only when "%25" is followed by 2 characters both within the range of '0' and 'f', however, the response prefix would be wrong. For example, "%25ab" in the request would result in "%ab" in the response prefix.
I believe this is a service side bug: see https://issuetracker.google.com/issues/117932947
I think a workaround is to encode the percent twice. But this may start failing in the future when the bug is fixed.
The error message you're seeing is because you don't have enough permissions to access to your object.
If you're using an authentication method (APIkey, bearer, etc) make sure that they have the needed Roles for GCS.
However, I can see that you're calling the objects just as a GET request. Try to Make your objects public and try it again with that encoding (%25). It should work.
Hope this is helpful!
I have been attempting to put together a Scala library for making calls to Chef APIs but I keep getting this problem with authenticating the API calls.
I have triple checked and the private key is correct and all other headers. The code I am using is here:
https://github.com/LiamHaworth/shef/blob/master/src/main/scala/au/id/haworth/shef/ChefUtils.scala
and I am calling it like so
import au.id.haworth.shef.{RequestMethod, ChefUtils}
import au.id.haworth.shef.ChefServer
val key = io.Source.fromFile("user.pem").getLines.mkString("\n")
val chefServer = ChefServer("chef.example.com", 443, "https", "myorg", "myuser", key)
ChefUtils.sendRequestToServer(chefServer, RequestMethod.GET, "", "")
But I keep on getting this response from the server
"{"error":["Invalid signature for user or client 'myuser'"]}"
I am sure that the problem is simple and is staring me in the face but I can't see it so any help will be greatly appreciated
I have successfully got the API to authenticate. After using knife in debug mode to check what headers it was producing and adding a extra line into my mixlib to print the canonical headers I got it working.
With the canonical headers printed by mixlib I ran them through my signing code and found that I wasn't getting the same result with the signature so I dug a bit deeper to find I was signing my headers in the terribly wrong way.
I was digesting them not signing them! After swapping out RSADigestSigner for Signature in my code and changing the algorithm (SHA1withRSA to RSA) I finally got the headers to be signed the same as the mixlib ones!.
TL;DR I derped and used the wrong classes to do what I wanted to do. The changes I made can be seen in this commit:
https://github.com/LiamHaworth/shef/commit/2db2aa5b89cae272eecd0901be91533b61d2a6c3
I will show you my signing request.
https://ec2.eu-west-1.amazonaws.com?AWSAccessKeyId=THISISFAKEIDD
&Action=AuthorizeSecurityGroupIngress
&GroupId=sg-blahblah
&IpPermissions.1.FromPort=7264
&IpPermissions.1.IpProtocol=ani
&IpPermissions.1.IpRanges.1.CidrIp=272.64.292.200%2F32
&IpPermissions.1.ToPort=7264
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2014-06-10T05%3A25%3A10Z
&Version=2014-05-01
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw=
Signature was generated & this request was able to add my IP address (272.64.292.200) successfully into the security group (sg-blahblah). So that means, this request is correct & there is no error in my code for generating the signature.
OK. Now when I try to add another IP-address to the same group using the same signing request with a different IP-address parameter & Timestamp, a new signature is generated. But I am not able to add it to the security group. Signature Does not match. Calculated signature does not match is shown.
Why is that so?? I use UTC time. If my request was incorrect, How was I able to add IP address at the first place?? Or, is it an error from the server side of EC2??
It looks like you did some urlencoding, but you missed one thing... the value for the signature.
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw= (incorrect)
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw%3D (correct)
If you urlencode this value, that should be what you are missing. Having any of =+/ unencoded in the signature will break it.