Thanks Gustaf, Yes, it works fine! I was not capable to understand the verification part. I was trying to learn it by repeating the method of base64* with encode/decode. Then, after decrypting, to verify if secret and data were both the same from the original request Best wishes, I
On May 26, 2020, at 13:05, i...@iurix.com <i...@iurix.com> wrote: Thanks Gustaf, It works now. p.s. I don't understand why the subject of this thread got replaced with a previous thread that I opened. The original email that I sent has the subject: "Verifying HMAC signature [ns_crypto::hmac ...]" -------- Original Message -------- Subject: Re: [naviserver-devel] What to do when [ns_base64encode] doesn't encrypt properly after the 63rd char? From: Gustaf Neumann <neum...@wu.ac.at <mailto:neum...@wu.ac.at>> Date: Tue, May 26, 2020 12:27 am To: naviserver-devel@lists.sourceforge.net <mailto:naviserver-devel@lists.sourceforge.net> Iuri, The nsc_crypto::hmac performs the HMAC (Keyed-Hashing for Message Authentication) as specified in RFC 2104, using a symmetric key provided via argument. The HMAC can be verified the same way as a plain digest (without a secret): If a received HMAC (or digest) should be verified, it must be recomputed. In the case of the HMAC, the receiver has to know the secret. I see no need for an extra API call: =========================================================================== set secret_key "foobar1234" set data "This is my data" set HMAC [ns_crypto::hmac string -digest sha256 $secret_key $data] # # To verify a received HMAC , one needs the key and the data as well # if { $HMAC eq [ns_crypto::hmac string -digest sha256 $secret_key $data] } { ns_log notice "Data verified" } =========================================================================== The ns_crypto interface provides as well the interface based on key files (PEM files) provided for "ns_crypto::md". In the case of the pem files, it is more effort to extract keys, since there exists several algorithms, key types etc., which are in specified inside the PEM files. Therefore, this interface works for multiple key types, include RSA and elliptic curves. In this variant, the message key can be signed with set sig [::ns_crypto::md string ... -sign PEM ...] and verified with ::ns_crypto::md string ... -verify PEM -signature $sig ... Below is the example from the man page. all the best -gn =========================================================================== % set sig [::ns_crypto::md string \ -digest sha1 \ -encoding binary \ -sign /usr/local/src/naviserver/myprivate.pem \ "abcdefghijklmnopqrstuxvwxyz\n"] % set vfy [::ns_crypto::md string \ -digest sha1 \ -verify /usr/local/src/naviserver/myprivate.pem \ -signature $sig \ "abcdefghijklmnopqrstuxvwxyz\n"] 1 =========================================================================== _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net <mailto:naviserver-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/naviserver-devel <https://lists.sourceforge.net/lists/listinfo/naviserver-devel> _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
