手记

使用nodejs/python实现bitmex API的签名signature

其实不光是bitmex,现在主流的数字货币交易网站都是采用类似的API认证方式,因此,本篇文章其实是适用于火币,OKEX等其他交易所的签名生成的

数字货币交易所的API安全认证

securityDefinitions":{"apiKey":{"type":"apiKey","in":"header","name":"api-key"},"apiSignature":{"type":"apiKey","in":"header","name":"api-signature"},"apiExpires":{"type":"apiKey","in":"header","name":"api-expires"}},"security":[{"apiKey":[],"apiSignature":[],"apiExpires":[]}]}

一般来说都是3个值需要配置:

  • api-expires: 本次API调用的有效时间,超过该时间调用失效,避免重放攻击
  • api-key: 与你的api-secret是一个pair对,一一对应,知道了api-key即可查询到api-secret
  • api-signature: api-secretmessage一起生成的签名,这里的message一般包括:
    • verb
    • url
    • nonce
    • data

举例:'POST/api/v1/order1416993995705{"symbol":"XBTZ14","quantity":1,"price":395.01}',如果是GET,没有body的话,则data为''

api-signature的生成规则一般为:
hmac_sha256,输出值需转化为 hex

这里,假设我们有一组KEY和SECRET:

API_KEY = "096oNuabZ57u9IozHP9vdpOx"
API_SECRET = “hqMMxKBYtYJ2bLQayvxVd3aqPXEz_KVIHImqq17oTbzmmVBJ”

python 实现

import hashlib
import hmac
from future.builtins import bytes

secret = bytes("hqMMxKBYtYJ2bLQayvxVd3aqPXEz_KVIHImqq17oTbzmmVBJ",'utf8')
message = bytes('POST/api/v1/order1416993995705{"symbol":"XBTZ14","quantity":1,"price":395.01}','utf8')
print(hmac.new(secret,message, digestmod=hashlib.sha256).hexdigest())

输出为:

a0719c00dbd3f5a3bcdd5a63af1473e7c5cfbd3fd504eae8a6cdbf3938a7821f

nodejs 实现

先定义同样的变量:

let secret = "hqMMxKBYtYJ2bLQayvxVd3aqPXEz_KVIHImqq17oTbzmmVBJ";
let message = 'POST/api/v1/order1416993995705{"symbol":"XBTZ14","quantity":1,"price":395.01}';

crypto

var crypto = require('crypto');

console.log(crypto.createHmac('sha256', secret).update(message).digest('hex'));

输出为:

a0719c00dbd3f5a3bcdd5a63af1473e7c5cfbd3fd504eae8a6cdbf3938a7821f

crypto-js

var CryptoJS = require('crypto-js')
console.log(CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(message,secret)) )

这里特别注意,CryptoJS.HmacSHA256的参数顺序,message在前面,secret在后面
输出为:

a0719c00dbd3f5a3bcdd5a63af1473e7c5cfbd3fd504eae8a6cdbf3938a7821f
0人推荐
随时随地看视频
慕课网APP