request help: 测试hmac-auth插件时提示Invalid signature

[tghfly]

Issue description

在测试 hmac-auth 插件时一直提示 Invalid signature

Environment

• apisix version：2.2
• OS: Linux apisix01 3.10.0-327.4.5.el7.x86_64 change: added doc of how to load plugin. #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
• OpenResty / Nginx version: nginx version: openresty/1.19.3.1

具体操作步骤是参照：https://github.com/apache/apisix/blob/master/doc/zh-cn/plugins/hmac-auth.md

1、创建 consumer 对象，并设置插件 hmac-auth 的值

curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "username": "tgh",
    "plugins": {
        "hmac-auth": {
            "access_key": "test-key",
            "secret_key": "test-secret-key",
            "clock_skew": 0,
            "signed_headers": ["x-custom-a"]
        }
    }
}'

2、创建 Route 或 Service 对象，并开启 hmac-auth 插件。

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/index.html",
    "plugins": {
        "hmac-auth": {}
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "172.20.11.172:8080": 1
        }
    }
}'

3、按照 文档【hmac-auth.md】中【签名生成公式】和【签名生成示例】生成签名

secret_key=test-secret-key

signing_string="GET
/

test-key 
Mon, 18 Jan 2021 09:35:39 GMT
x-custom-a:test
"

shell 脚本生成

#!/bin/bash
SECRET="test-secret-key"
MESSAGE="GET
/index.html

test-key
Mon, 18 Jan 2021 09:35:39 GMT
x-custom-a:test
"
# to lowercase hexits
echo -n $MESSAGE | openssl dgst -sha256 -hmac $SECRET

# to base64
echo -n $MESSAGE | openssl dgst -sha256 -hmac $SECRET -binary | base64

按shell代码生成的签名（base64）为：vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8=

4、在shell终端使用curl请求

ACCESS_KEY=test-key
SIGNATURE=vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8=
ALGORITHM=hmac-sha256
DATE="Mon, 18 Jan 2021 09:35:39 GMT"
SIGNED_HEADERS="x-custom-a"

curl -i -vv http://172.20.11.161/index.html \
-H "x-custom-a:test" \
-H "X-HMAC-SIGNATURE: $SIGNATURE" \
-H "X-HMAC-ALGORITHM: $ALGORITHM" \
-H "X-HMAC-ACCESS-KEY: $ACCESS_KEY" \
-H "X-HMAC-SIGNED-HEADERS: $SIGNED_HEADERS"

返回结果是：【HTTP/1.1 401 Unauthorized】【{"message":"Invalid signature"}】

返回内容如下：

* About to connect() to 172.20.11.161 port 80 (#0)
*   Trying 172.20.11.161...
* Connected to 172.20.11.161 (172.20.11.161) port 80 (#0)
> GET /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.20.11.161
> Accept: */*
> x-custom-a:test
> X-HMAC-SIGNATURE: vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8=
> X-HMAC-ALGORITHM: hmac-sha256
> Date: Mon, 18 Jan 2021 09:35:39 GMT
> X-HMAC-ACCESS-KEY: test-key
> X-HMAC-SIGNED-HEADERS: x-custom-a
> 
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Date: Tue, 19 Jan 2021 00:51:51 GMT
Date: Tue, 19 Jan 2021 00:51:51 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Connection: keep-alive
Connection: keep-alive
< Server: APISIX/2.2
Server: APISIX/2.2
< 
{"message":"Invalid signature"}
* Connection #0 to host 172.20.11.161 left intact
* ```

诉求：在文档描述生成签名那能否再详细一点，最好是提供一个可测试的用例，谢谢。

[membphis]

ping @Firstsawyou you can take a look when you have time, many thx

[membphis]

[Firstsawyou]

ping @Firstsawyou you can take a look when you have time, many thx

Okay, I am troubleshooting this issue.

[membphis]

@tghfly you can take a look at the test case, it may help you: https://github.com/apache/apisix/blob/master/t/plugin/hmac-auth.t#L325

[tghfly]

我在生成签名的shell脚本里有带上 /index.html ，/ 和 /index.html生成签名都试过，仍然提示无效

[Firstsawyou]

我在生成签名的shell脚本里有带上 /index.html ，/ 和 /index.html生成签名都试过，仍然提示无效

This is caused by the incorrect format of the newline in the shell processing the signature string. You can first try to verify it using Python.

[Firstsawyou]

Hi, @tghfly
For shell signature, you can try it like this:

#!/bin/bash
SECRET="test-secret-key"
MESSAGE="GET\n/index.html\n\ntest-key\nMon, 18 Jan 2021 09:35:39 GMT\nx-custom-a:test"

# to lowercase hexits
echo -n $MESSAGE | openssl dgst -sha256 -hmac $SECRET

# to base64
echo -e $MESSAGE | openssl dgst -sha256 -hmac $SECRET -binary | base64

[wangyp0701]

hmac-auth-generate-signature
This is the shell script I used

SECRET="admin1"
MESSAGE='''GET
/get
age=36&name=james
admin2
Thu, 18 Jan 2024 06:51:16 GMT
User-Agent:curl/7.29.0
'''

# to lowercase hexits
echo  -n "${MESSAGE}" | openssl dgst -sha256 -hmac $SECRET

# to base64
echo  -n  "${MESSAGE}" | openssl dgst -sha256 -hmac $SECRET -binary | base64

[wangyp0701]

This is the lua script I used

access_by_lua_block {
        local hmac = require("resty.hmac")
        local secret = 'admin1'
        local message = [[
GET
/get
age=36&name=james
admin2
Thu, 18 Jan 2024 06:51:16 GMT
User-Agent:curl/7.29.0
]]
        local digest = hmac:new(secret, hmac.ALGOS.SHA256):final(message)

        --to lowercase hexits
        --ngx.say(digest)

        --to base64
        ngx.say(ngx.encode_base64(digest))
      } 

[jojo1313]

/usr/local/apisix/apisix/plugins/hmac-auth.lua core.log.warn("signing_string: ", signing_string,
" params.signed_headers:",
core.json.delay_encode(params.signed_headers))