topic Re: Using sas/secure to generate hmac-sha1 oauth signature in SAS Programming

Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Sun, 15 Feb 2015 09:09:04 GMT

Hello everyone,

I'm trying to use sas/secure to generate a hmac-sha1 oauth signature. I have SAS 9.3 installed on a PC running windows 7 professional. Note I tried using proc pwencode with Method=sas003. My code ran, but the signature did not match the one I generated online. It was way too long. I'm using the linked page below to create the oauth_signature. How should I go about solving this problem? Do I need to use java (yikes!), or can I simply use a proc or options statement? Any help would be greatly appreciated. Thanks very much.

-Bill

http://nouncer.com/oauth/authentication.html

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Sun, 15 Feb 2015 22:20:34 GMT

Specifying method=sas003 will give you 256-bit key plus 16-bit salt AES encoding, totally different from SHA1. There is not a way (that I am familiar with) to generate a SHA1 hash with PROC PWENCODE. You can use java, which wouldn't be too complicated. Made much easier by the fact that PROC GROOVY exists in 9.3+

%let toHash=something to hashify;

proc groovy;

submit "&toHash.";

import java.security.MessageDigest

exports.sha1 = new BigInteger(1, MessageDigest.getInstance("SHA1").digest(args[0].getBytes())).toString(16)

endsubmit;

quit;

%put &sha1.;

Side-note: You shouldn't post the same question to multiple communities.

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Mon, 16 Feb 2015 08:54:27 GMT

FriedEgg,

Thanks so much for your help. Code works and produces a sha1 signature. Quick follow-up questions, if I have key and text components to go into the digest function (digest = HMAC-SHA1 (key, text)), can I simply use a macro variable like %let disgest_inputs=&key.,&text.;? Or should I do something different?

My apologies about the double post. I deleted the other thread. I was having trouble posting my question the other night and inadvertently created a duplicate post.

Thanks again!

Regards,

Bill

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Mon, 16 Feb 2015 14:12:07 GMT

%let key = mykey;

%let message = helloworld;

proc groovy;

submit "&key." "&message.";

import javax.crypto.Mac

import javax.crypto.spec.SecretKeySpec

def hmacsha1(key, message) {

mac = Mac.getInstance("HmacSHA1")

mac.init(new SecretKeySpec(key.getBytes(), "HmacSHA1"))

sha1_bytes = mac.doFinal(message.getBytes())

return new BigInteger(1, sha1_bytes).toString(16)

}

exports.hmacsha1 = hmacsha1(args[0], args[1])

endsubmit;

quit;

%put &hmacsha1.;

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Tue, 17 Feb 2015 09:32:51 GMT

FriedEgg,

Thanks so much for the code and your time. I tried to recreate the oauth_signature for a GET example on nouncer.com (url is below). I created macro variables that generate the key and message inputs correctly (comparisons are below). However, when I compute the oauth_signature, I get a much different answer to what's on the website. Noucner.com states that the oauth_signature must be base64-encoded. I'm using put statement with format $base64x32767. Is this correct? Also, should I upgrade java? Currently, I'm running version 6 update 24.

Thanks again and sorry to keep hassling you with this.

-Bill

Compare oauth signature inputs

Key

sas

kd94hf93k423kf44&pfkkdhi9sl3r4s00

website

kd94hf93k423kf44&pfkkdhi9sl3r4s00

Message

sas

GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

website (called signature base string)

Compare oauth_signature output

sas

YjUxZGZlNGYyZjM1OTRjNzk4MDJiZmM1ODlkZDI0MzEzNjFhZmQ2Mw==

website

tR3+Ty81lMeYAr/Fid0kMTYa/WM=

Link to GET example on http://nouncer.com/oauth/authentication.html

(May have to first click on a radio button on the top of the page to something other than the example and then back on the example to see the details. This is the only way that I can view all the information.)

SAS log:

529 dm 'clear log';

530

531 *Oauth vars;

532 %let oauth_consumer_key=dpf43f3p2l4k3l03;

533 %let oauth_consumer_secret=kd94hf93k423kf44;

534 %let oauth_token=nnch734d00sl2jdk;

535 %let oauth_token_secret=pfkkdhi9sl3r4s00;

536 %let oauth_signature_method=HMAC-SHA1;

537 %let oauth_version=1.0;

538 %let url=%sysfunc(urlencode(http://photos.example.net/photos));

539 %let oauth_size=original;

540 %let oauth_file=vacation.jpg;

541 %let oauth_timestamp=1191242096;

542 %let oauth_nonce=kllo9940pd9333jh;

543

544 *Vars for oauth signature;

545 %let API_TIME_STAMP=%str(oauth_timestamp=&oauth_timestamp.);

546 %let API_NONCE=%str(oauth_nonce=&oauth_nonce.);

547 %let API_KEY=%str(oauth_consumer_key=&oauth_consumer_key.);

548 %let API_SECRET=%str(oauth_consumer_secret=&oauth_consumer_secret.);

549 %let API_METHOD=%str(oauth_signature_method=&oauth_signature_method.);

550 %let API_TOKEN=%str(oauth_token=&oauth_token.);

551 %let API_VERSION=%str(oauth_version=1.0);

552 %let API_SIZE=%str(size=&oauth_size.);

553 %LET API_FILE=%str(file=&oauth_file.);

554 %let API_CONSUMER_SECRET=%sysfunc(urlencode(&oauth_consumer_secret.));

555 %let API_TOKEN_SECRET=%sysfunc(urlencode(&oauth_token_secret.));

556

557 %let

557! string=&API_FILE.%str(&)&API_KEY.%str(&)&API_NONCE.%str(&)&API_METHOD.%str(&)&API_TIME_STAMP.%str

557! (&)&API_TOKEN.%str(&)&API_VERSION.%str(&)&API_SIZE.;

558 %let message=%str(GET)%str(&)&url.%str(&)%sysfunc(urlencode(&string.));

559 %put &message.;

GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-

SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

560

561 %let key=&API_CONSUMER_SECRET.%str(&)&API_TOKEN_SECRET.;

562 %put &key;

kd94hf93k423kf44&pfkkdhi9sl3r4s00

563

564

565 proc

565! groovy;

566

567 submit "&key." "&message.";

WARNING: The quoted string currently being processed has become more than 262 characters long. You

might have unbalanced quotation marks.

568

569 import javax.crypto.Mac

570 import javax.crypto.spec.SecretKeySpec

571

572 def hmacsha1(key, message) {

573 mac = Mac.getInstance("HmacSHA1")

574 mac.init(new SecretKeySpec(key.getBytes(), "HmacSHA1"))

575

576 sha1_bytes = mac.doFinal(message.getBytes())

577

578 return new BigInteger(1, sha1_bytes).toString(16)

579 }

580

581 exports.hmacsha1 = hmacsha1(args[0], args[1])

582

583 endsubmit;

NOTE: Exporting macro variable "hmacsha1".

NOTE: The SUBMIT command completed.

584

585 quit;

NOTE: PROCEDURE GROOVY used (Total process time):

real time 0.01 seconds

cpu time 0.00 seconds

586

587 %put &hmacsha1.;

b51dfe4f2f3594c79802bfc589dd2431361afd63

588

589 data _null_;

590 oauth_signature = put("&hmacsha1.",$base64x32767.);

591 call symput('oauth_signature',oauth_signature);

592 run;

NOTE: DATA statement used (Total process time):

real time 0.00 seconds

cpu time 0.00 seconds

593

594 %put &oauth_signature.;

YjUxZGZlNGYyZjM1OTRjNzk4MDJiZmM1ODlkZDI0MzEzNjFhZmQ2Mw==

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Tue, 17 Feb 2015 16:57:29 GMT

I would recommend you continue using the private Java runtime provided by your SAS installation.

This is because they are looking for the base64 encoding of the byte array, you are creating the base64 encoding of the hexadecimal representation of the byte Hmac-SHA1 digest.

%let key = kd94hf93k423kf44&pfkkdhi9sl3r4s00;

%let message = GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal;

proc groovy;

add sasjar="commons_codec" version="1.7.0.0_SAS_20121211183158";*version may differ based on your installation. Check your SAS Versioned Jar Repository;

submit "&key." "&message.";

import javax.crypto.Mac

import javax.crypto.spec.SecretKeySpec

import org.apache.commons.codec.binary.Base64

def base64hmacsha1(key, message) {

mac = Mac.getInstance("HmacSHA1")

mac.init(new SecretKeySpec(key.getBytes(), "HmacSHA1"))

sha1_bytes = mac.doFinal(message.getBytes())

base64 = new Base64()

return new String(base64.encode(sha1_bytes))

}

exports.base64hmacsha1 = base64hmacsha1(args[0], args[1])

endsubmit;

quit;

%put &base64hmacsha1.;

/*tR3+Ty81lMeYAr/Fid0kMTYa/WM=*/

Message was edited by: FriedEgg - typo corrected in RED, also added reference for common-codec sasjar

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Tue, 17 Feb 2015 21:22:20 GMT

I added the classpath for the groovy-all.2.4.0.jar per your recommendation in another thread. However, now I'm getting a different type of error:

334 dm 'clear log';

335

336 %let key = %nrstr(kd94hf93k423kf44&pfkkdhi9sl3r4s00);

337 %let message =

337! %nrstr(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddp

337! f43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_time

337! stamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal);

338

339

340 proc

340! groovy;

341

342 add classpath="C:\Program Files (x86)\Groovy\Groovy-2.4.0\lib\groovy-all.2.4.0.jar";

NOTE: The ADD CLASSPATH command completed.

343

344 submit "&key." "&message.";

WARNING: The quoted string currently being processed has become more than 262 characters long. You

might have unbalanced quotation marks.

345

346 import javax.crypto.Mac

347 import javax.crypto.spec.SecretKeySpec

348 import org.apache.commons.codec.binary.Base64

349

350 def base64hmacsha1(key, message) {

351 mac = Mac.getInstance("HmacSHA1")

352 mac.init(new SecretKeySpec(key.getBytes(), "HmacSHA1"))

353

354 sha1_bytes = mac.doFinal(message.getBytes())

355

356 base64 = new Base64()

357 return new String(base64.encode(sha1_bytes))

358 }

359

360

361 exports.base64hmacsha1 = hmacsha1(args[0], args[1])

362

363

364 endsubmit;

groovy.lang.MissingMethodException: No signature of method: Script10.hmacsha1() is applicable for

argument types: (java.lang.String, java.lang.String) values: [kd94hf93k423kf44&pfkkdhi9sl3r4s00,

GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l

03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D119124209

6%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal]

at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.unwrap(ScriptBytecodeAdapter.java:54)

at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.callCurrent(PogoMetaClassSite.java:78)

at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:44)

at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:143)

at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:155)

at Script10.run(Script10.groovy:17)

ERROR: The SUBMIT command failed.

365

366

367 quit;

NOTE: The SAS System stopped processing this step because of errors.

NOTE: PROCEDURE GROOVY used (Total process time):

real time 0.03 seconds

cpu time 0.01 seconds

WARNING: Apparent symbolic reference HMACSHA1 not resolved.

368 %put &hmacsha1.;

&hmacsha1.

369 /*tR3+Ty81lMeYAr/Fid0kMTYa/WM=*/

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Tue, 17 Feb 2015 21:32:00 GMT

I did not test that posting and missed replacing the method call with the proper name. You should be good now.

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Tue, 17 Feb 2015 21:52:26 GMT

Success! Thanks so very much for your time and help with this. I've tried numerous different ways to generate the oauth_signature. Finally, I found a solution that works with sas.

Regards,

Bill

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Tue, 17 Feb 2015 21:59:48 GMT

If you are having issues with the commons-codec you can use the version that should be included in your sas versioned jar repository using a statement similar to the following:

add sasjar="commons_codec" version="1.7.0.0_SAS_20121211183158";

The version will be specific to your installation.

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Tue, 17 Feb 2015 22:17:15 GMT

I have created a gist containing the various PROC GROOVY codes shared in this post.

Using PROC GROOVY in SAS to Calculate Hash Digests

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Tue, 17 Feb 2015 22:18:39 GMT

@BillJones,

Glad it work out for you.

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Tue, 17 Feb 2015 22:21:56 GMT

Thanks! I just realized that I need the commons-codec and not the groovy-all.2.4.0.jar. I used the explicit classpath syntax to get the code to run.

add classpath="C:\Program Files (x86)\Groovy\Groovy-2.4.0\lib\commons-codec-1.10.jar";

Works perfectly now. Truly appreciate your expertise and help.

Re: Using sas/secure to generate hmac-sha1 oauth signature

NG_Forest — Wed, 20 May 2015 09:05:45 GMT

HI,

Firstly apologies if this is the wrong place to post...first time I've used this!

Thank you for posting the code above - it's really helped me. I'm trying to SHA1 encode entries in a file, but I can't find a way of incorporating the code into a macro and thus can only do one at a time using the code you provided below.

proc sql noprint;

select mskey, emailcode

into :mskey, :emailcode

from trust;

quit;

%let toHash=&mskey&emailcode;

proc groovy;

submit "&toHash.";

import java.security.MessageDigest

exports.sha1 = new BigInteger(1, MessageDigest.getInstance("SHA1").digest(args[0].getBytes())).toString(16)

endsubmit;

quit;

%put &toHash;

%put &sha1.;

When I try and incorporate in a macro it mentions that the submit block cannot be directly placed in a macro. Instead, place the submit block into a file first and then use %include to include the file within a macro definition. Sorry, my coding is not good enough to make this work

Any help would be much appreciated!

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Wed, 20 May 2015 17:56:49 GMT

@NG_Forest,

It would be best to create a new post for you question as SHA1 and HMAC-SHA1 are significantly different topics.

Also, I have posted on this subject previously, it does not use PROC GROOVY, as it did not exist at the time (the code in this post could be adapted to use is though):

Using a macro to perform this type of task on every record in a file is really less than ideal. The better approach would be using the data step java object.

Re: Using sas/secure to generate hmac-sha1 oauth signature

NG_Forest — Thu, 21 May 2015 13:43:09 GMT

@FriedEgg,

Thanks for taking the time to respond and apologies for not starting a new post.

Once I have a Java compiler installed on my machine I'll certainly give your other method a go.

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Thu, 21 May 2015 15:48:37 GMT

@NG_Forest

I updated the post to include a similar method using PROC GROOVY at the same link as above

Re: Using sas/secure to generate hmac-sha1 oauth signature

NG_Forest — Thu, 21 May 2015 16:06:54 GMT

@FriedEgg,

Once again, thank you so much...it works perfectly

Re: Using sas/secure to generate hmac-sha1 oauth signature

BillJones — Sun, 28 Jun 2015 04:20:27 GMT

FriedEgg,

Thanks again for your help. I use the code you provided to generate oauth signatures, and everything works great with cURL. However, when I try to use proc http, I keep getting signature invalid errors. I'm attempting to query a website that has oauth 1.0. I checked with the website admin, and they receive my post requests and state there are no issues with the parameters; Keys, header, & body are all fine. Note the site is https but I updated my SAS config file to reference a cacert file, so I don't believe that's the issue. Also, I triple checked my signatures, and they match the nouncer.com site. (Again, I can query the website with cURL I want to use proc http because it should be faster.) It appears that proc http does something to the header, url, or body of my request such that the oauth signature becomes invalid. Do you have any idea of what could be going on? Also, is there a master document which has all the details of proc http? I've read the online sas documentation, but was hoping for something more detailed.

-Bill

Re: Using sas/secure to generate hmac-sha1 oauth signature

FriedEgg — Sun, 28 Jun 2015 04:59:55 GMT

PROC HTTP does set some header item itself, and manually setting the same header attributes yourself I have seen lead to problems. The documentation for the procedure that you have found online is as in-depth as I have seen available anywhere (which is not very detailed). I do not recall exactly what headers I have seen cause issues, but I am pretty sure one of the was the content-type. I have not tried it, but the documentation for PROC SOAP hints that there are some jreotions you can set to receive additional debug logging for the httpclient. I would try setting that up for your session and see if it can be helpful at all with PROC HTTP.

http://support.sas.com/documentation/cdl/en/proc/65145/HTML/default/viewer.htm#n1lvy6ht8ywii2n1jpwp3czll6no.htm

the assumption is somewhat confirmed in the 9.4 documentation:

http://support.sas.com/documentation/cdl/en/proc/67327/HTML/default/viewer.htm#n1hee3s3s3j9oxn1x6czzzdqsj4u.htm

There is also an option in PROC HTTP called VERBOSE, which I do not recall being in the documentation syntax?

I have scripts running frequently using a hmac-sha1 authentication schemes daily, through PROC HTTP, so I know at the very least, I know it's possible (even on some of the servers still running 9.2).