Search code examples
angulartypescriptcryptojs

Angular4/Typescript sign Kraken API call (CryptoJS)

I am trying to call the Kraken API from my Agnular4 project. I am using the crypto-js library https://www.npmjs.com/package/crypto-js.

Kraken requires this signature:

API-Sign = Message signature using HMAC-SHA512 of (URI path + SHA256(nonce + POST data)) and base64 decoded secret API key

Correct result:
gy+Ljq8nPD2kFFCQSofQ46pbPV8z8D7klrU78Kxvl6jyior/Ev2FiclhKs+zoqrmL8u8u1Y9CXzIw0n3CswtNA==

Result from:
CryptoJS.HmacSHA512(path + CryptoJS.enc.Hex.stringify(hashDigest), secret);

DWtQpzZJkcHw7Ai1aFUNAR8ne0h3P/GaHc1OIUGsITifOOE+IAWF9f5HxspSY5wF6qcQwCKx9Bz1MDwFhu01QA==

I have made these calls before out of an Android App and it worked (see code and result at the bottom of this post).

I have also tried out a lot of things for several days. I have probably made a dumb mistake :D

Thanks in advance for reading and hopefully replying to this :)

Here is my Angular4 client code:

import * as CryptoJS from 'crypto-js';
...
this.API_SECRET = "0a...g==";
...
private getMessageSignature(path: string, request: string, nonce: number) {
    console.log('getMessageSignature', path, request, nonce);
    console.log('request', request);
    const message = nonce + request;
    var secret = CryptoJS.enc.Base64.parse(this.API_SECRET);
    var hashDigest = CryptoJS.SHA256(message);
    var hashDigestBase64 = CryptoJS.enc.Base64.stringify(hashDigest);
    console.log('hashDigest', CryptoJS.enc.Base64.stringify(hashDigest)); // correct
    console.log('hashDigest', CryptoJS.enc.Hex.stringify(hashDigest)); // correct

    var hmacDigest = CryptoJS.HmacSHA512(path + hashDigest, secret);
    console.log('hmacDigest', CryptoJS.enc.Base64.stringify(hmacDigest));
    var hmacDigest1 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Base64.stringify(hashDigest), secret);
    console.log('hmacDigest1', CryptoJS.enc.Base64.stringify(hmacDigest1));
    var hmacDigest2 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Hex.stringify(hashDigest), secret);
    console.log('hmacDigest2', CryptoJS.enc.Base64.stringify(hmacDigest2));
    var hmacDigest3 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Latin1.stringify(hashDigest), secret);
    console.log('hmacDigest3', CryptoJS.enc.Base64.stringify(hmacDigest3));

    var hmacDigest4 = CryptoJS.HmacSHA512(path + hashDigest, this.API_SECRET);
    console.log('hmacDigest4', CryptoJS.enc.Base64.stringify(hmacDigest4));
    var hmacDigest5 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Base64.stringify(hashDigest), this.API_SECRET);
    console.log('hmacDigest5', CryptoJS.enc.Base64.stringify(hmacDigest5));
    var hmacDigest6 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Hex.stringify(hashDigest), this.API_SECRET);
    console.log('hmacDigest6', CryptoJS.enc.Base64.stringify(hmacDigest6));
    var hmacDigest7 = CryptoJS.HmacSHA512(path + CryptoJS.enc.Latin1.stringify(hashDigest), this.API_SECRET);
    console.log('hmacDigest7', CryptoJS.enc.Base64.stringify(hmacDigest7));

    return CryptoJS.enc.Base64.stringify(hmacDigest);
}

Angular4 result:

getMessageSignature /0/private/Balance nonce=1503065538999 1503065538999
request nonce=1503065538999
hashDigest EcvBaI+IvdvibXZ4UiNlcuAvT8fPPdAItwhBrCNx7q8=
hashDigest 11cbc1688f88bddbe26d767852236572e02f4fc7cf3dd008b70841ac2371eeaf
hmacDigest DWtQpzZJkcHw7Ai1aFUNAR8ne0h3P/GaHc1OIUGsITifOOE+IAWF9f5HxspSY5wF6qcQwCKx9Bz1MDwFhu01QA==
hmacDigest1 3f+oCR9hagmWESRcaZhfU6gHlMNFnnRCP25Yslc1nitfFvkq+/SikcByeWNQFWICkTLUOxMxQr4LBw2mcGwC9g==
hmacDigest2 DWtQpzZJkcHw7Ai1aFUNAR8ne0h3P/GaHc1OIUGsITifOOE+IAWF9f5HxspSY5wF6qcQwCKx9Bz1MDwFhu01QA==
hmacDigest3 87Zs0C/7b1fPuINnkB8WHQ1LhUG9u3hMMIt1hGOKszWZ4yHfohdlLLe2eUdpZr+c2B24ecYaqc/r6WRcDp5sdg==
hmacDigest4 MySDdpd+ufXJLp6BhP2oGpvnCrs1FUlIFp5+4P6oW0Zf3H9CfuQ3Z6BioUr9l2O3Y1VXfo9qhHNtRO/F8NS5Ag==
hmacDigest5 ndMT5/pjEgYI1qd7cpaloiJJ6Q6ktBl2R9Kgi4kL3UwSiSix/jLi9sFQdZTNqmqJIt70GFNqbDUyQII+FOj/tw==
hmacDigest6 MySDdpd+ufXJLp6BhP2oGpvnCrs1FUlIFp5+4P6oW0Zf3H9CfuQ3Z6BioUr9l2O3Y1VXfo9qhHNtRO/F8NS5Ag==
hmacDigest7 iOU29TPq7vm2gQ6totB9UbVrQGUBNbxK5G7nbqMXWJFjdO2BTTpQD59bCPjkijPz3hgQkwdHpdHimJfCIXYYAw==

Android Code:

private static String calculateSignature(String nonce, String data, String path) {
    System.out.println("calculateSignature " + nonce + " " + data + " " + path);
    String signature = "";
    try {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update((nonce + data).getBytes());
        Mac mac = Mac.getInstance("HmacSHA512");
        mac.init(new SecretKeySpec(Base64.decode(API_SECRET.getBytes(), Base64.NO_WRAP), "HmacSHA512"));
        mac.update(path.getBytes());
        byte[] digest = md.digest();
        System.out.println("digest = " + Base64.encodeToString(digest, Base64.NO_WRAP));
        signature = Base64.encodeToString(mac.doFinal(digest), Base64.NO_WRAP);
        System.out.println("signature = " + signature);
    } catch(Exception e) {}
    return signature;
}

Android result:

calculateSignature 1503065538999 nonce=1503065538999 /0/private/Balance
digest = EcvBaI+IvdvibXZ4UiNlcuAvT8fPPdAItwhBrCNx7q8=
signature = gy+Ljq8nPD2kFFCQSofQ46pbPV8z8D7klrU78Kxvl6jyior/Ev2FiclhKs+zoqrmL8u8u1Y9CXzIw0n3CswtNA==
Solution

  • The problem was that the methods provided by @types/crypto-js only include string methods.

    So I removed the package and can use the update methods, etc.

    private getMessageSignature(apiSecret: string, path: string, request: string, nonce: number) {
  const secret = CryptoJS.enc.Base64.parse(apiSecret);
  const hashDigest = CryptoJS.SHA256(nonce + request);

  const hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA512, secret);
  hmac.update(path);
  hmac.update(hashDigest);

  return CryptoJS.enc.Base64.stringify(hmac.finalize());
}