[GitHub] [apisix] riskgod commented on issue #4117: { message: 'Invalid signature' } in hmac after add Date clock_skew

Fri, 23 Apr 2021 00:38:31 -0700 


riskgod commented on issue #4117:
URL: https://github.com/apache/apisix/issues/4117#issuecomment-825460444


   > Try to set the value of `clock_skew` to a higher value?
   
   still failed, after test 2 kind of valid, one is success without clock_skew, 
here is the test code
   
   ```
   const crypto = require('crypto');
   const axios = require('axios').default;
   import qs from 'qs';
   const today = new Date();
   const dateNow = today.toGMTString();
   
   
   const check_address = 
   `POST
   /checkAddress
   
   user-key-kelly
   ${dateNow}
   User-Agent:curl/7.29.0
   x-custom-a:test
   `;
   const live = 
   `GET
   /health
   
   user-key-kelly
   ${dateNow}
   User-Agent:curl/7.29.0
   x-custom-a:test
   `;
   const userWithdrawal = 
   `POST
   /userWithdrawal
   
   user-key-tomi
   Mon, Tue, 19 Jan 2021 11:33:20 GMT
   User-Agent:curl/7.29.0
   x-custom-a:test
   `;
   const sign_string_tomi = crypto.createHmac('sha256', 
"my-secret-key—tomi").update(check_address).digest("base64");
   const sign_string_kelly = crypto.createHmac('sha256', 
"my-secret-key—kelly").update(live).digest("base64");
   
   console.log(sign_string_kelly)
   
   async function testTomi() {
       const bodyData = {"coin":"BTC", 
"address":"rpE6gE8jEN1trDwQwe47VmgDL5y6m3XX2n"};
       const headers = {
           "Content-Type": "application/json",
           "X-HMAC-SIGNATURE": sign_string_tomi,
           "X-HMAC-ALGORITHM": "hmac-sha256",
           "X-HMAC-ACCESS-KEY": "user-key-tomi",
           "Date": dateNow,
           "X-HMAC-SIGNED-HEADERS": "Date;User-Agent;x-custom-a",
           "User-Agent": "curl/7.29.0",
           "x-custom-a": "test"
       }
       try {
           const options = {
               method: 'POST',
               headers: headers,
               data: qs.stringify(bodyData),
               url: "http://127.0.0.1:9080/checkAddress";
           };
           const result = await axios(options);
           console.log(result.data)
       } catch (error) {
           console.error(error.response.data)
       }
           
   }
   
   async function testkelly() {
       const headers = {
           "X-HMAC-SIGNATURE": sign_string_kelly,
           "X-HMAC-ALGORITHM": "hmac-sha256",
           "X-HMAC-ACCESS-KEY": "user-key-kelly",
           "Date": dateNow,
           "X-HMAC-SIGNED-HEADERS": "User-Agent;x-custom-a",
           "User-Agent": "curl/7.29.0",
           "x-custom-a": "test"
       }
       try {
           const options = {
               method: 'GET',
               headers: headers,
               url: "http://127.0.0.1:9080/health";
           };
           const result = await axios(options);
           console.log(result.data)
       } catch (error) {
           console.error(error.response.data)
       }
           
   }
   
   // testkelly()
   testTomi()
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to