Well, having been trying this for a while, I'm having serious problems using
this on a Linux platform.
I seem to have some success if I place quotes around the command line:
$ cat message.bin | openssl dgst -sha256 -hmac "`cat key.bin`" -binary > mac.bin
But, to complicate things further, I'm trying to invoke this from Java. So I
have something like:
byte[] key = ....;
Runtime.getRuntime().exec("openssl", "dgst", "-sha256", "-hmac", "\"" + new
String(key) + "\"", "-binary");
I then pipe my message in, and collect the output from the output stream.
But no joy. I believe this may be because Java does not run the command within
a shell. I can try to force the use of the shell:
Runtime.getRuntime().exec("/bin/bash", "-c", "openssl", "dgst", "-sha256",
"-hmac", "\"" + new String(key) + "\"", "-binary");
But now my piped message either seems to get interpreted as an openssl command
(so I just get something like "&%$£&$ is an invalid command" followed by a list
of the standard openssl commands) or I get an "unexpected EOF while looking for
matching `"'" error.
Can anybody offer any practical suggestions?
I was hoping to avoid JNI (particularly on the FIPS build), but it seems to be
looming ever closer.
Thanks,
Alistair.
________________________________
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Young, Alistair
Sent: 30 January 2009 09:31
To: openssl-users@openssl.org
Subject: OpenSSL command line HMAC
Hi,
To generate an HMAC key using SHA-256, I can issue the following command:
openssl dgst -sha256 -hmac <key> -binary < message.bin > mac.bin
I realised (eventually!) that the key is not supplied as a hex string
(0a0b34e5.. etc.) but in a binary format. Obviously this leads to some fairly
unpleasant command lines when the key contains non-printable characters.
Can anybody comment on whether this is likely to cause problems for Windows or
Linux? Looking at the source code, there doesn't appear to be any other
mechanism for passing the key via the command line.
I'm using the FIPS 1.2 flavour of OpenSSL.
Many thanks,
Alistair.
Please help Logica to respect the environment by not printing this email /
Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail
/ Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei
die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não
imprimindo este correio electrónico.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
