Well, having been trying this for a while, I'm having serious problems using this on a Linux platform. I seem to have some success if I place quotes around the command line: $ cat message.bin | openssl dgst -sha256 -hmac "`cat key.bin`" -binary > mac.bin But, to complicate things further, I'm trying to invoke this from Java. So I have something like: byte[] key = ....; Runtime.getRuntime().exec("openssl", "dgst", "-sha256", "-hmac", "\"" + new String(key) + "\"", "-binary"); I then pipe my message in, and collect the output from the output stream. But no joy. I believe this may be because Java does not run the command within a shell. I can try to force the use of the shell: Runtime.getRuntime().exec("/bin/bash", "-c", "openssl", "dgst", "-sha256", "-hmac", "\"" + new String(key) + "\"", "-binary"); But now my piped message either seems to get interpreted as an openssl command (so I just get something like "&%$£&$ is an invalid command" followed by a list of the standard openssl commands) or I get an "unexpected EOF while looking for matching `"'" error. Can anybody offer any practical suggestions? I was hoping to avoid JNI (particularly on the FIPS build), but it seems to be looming ever closer. Thanks, Alistair.
________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Young, Alistair Sent: 30 January 2009 09:31 To: openssl-users@openssl.org Subject: OpenSSL command line HMAC Hi, To generate an HMAC key using SHA-256, I can issue the following command: openssl dgst -sha256 -hmac <key> -binary < message.bin > mac.bin I realised (eventually!) that the key is not supplied as a hex string (0a0b34e5.. etc.) but in a binary format. Obviously this leads to some fairly unpleasant command lines when the key contains non-printable characters. Can anybody comment on whether this is likely to cause problems for Windows or Linux? Looking at the source code, there doesn't appear to be any other mechanism for passing the key via the command line. I'm using the FIPS 1.2 flavour of OpenSSL. Many thanks, Alistair. Please help Logica to respect the environment by not printing this email / Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não imprimindo este correio electrónico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.