Hi Dave - thanks for your reply!
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dave Thompson
Sent: 06 February 2009 00:29
To: openssl-users@openssl.org
Subject: RE: OpenSSL command line HMAC
> > From: owner-openssl-us...@openssl.org On Behalf Of Young, Alistair
> > Sent: Wednesday, 04 February, 2009 09:52
> > I seem to have some success if I place quotes around the [Linux]
> > command
> line:
> > $ cat message.bin | openssl dgst -sha256 -hmac "`cat key.bin`" -binary
> > > mac.bin
> (Don't need cat here, just < on the openssl. But that's not your question.)
Yes, indeed - this just struck me as the closest analog to what I'm doing in
Java: writing the message to the process's input stream. (In fact, from the
command line I think that you can just supply the message file as a parameter
without need for piping or redirection).
> > But, to complicate things further, I'm trying to invoke this from Java.
> > So I have something like:
> > byte[] key = ....;
> > Runtime.getRuntime().exec("openssl", "dgst", "-sha256", "-hmac",
> > "\"" + new String(key) + "\"", "-binary"); I then pipe my message in,
> > and collect the output from the output stream.
> In the Java I have (SDK5=jre1.6.0_02) I can't Runtime.exec multiple strings
> like that, I have to put them in an array with {}. (Or a single String, but
> then I'm not sure whose parsing rules are used and when.) With a String [],
> don't add quotes around the key value. In a shell command, " ' \ are processed
> by the shell before being passed to the program. As are the ` above.
> Then it works for me.
You're right about the array, of course - this was some poorly transcribed
code! :)
Without the quotes, if my hmac key contains a space or tab character, it seems
that somewhere along the way, the two halves of the key are treated as separate
parameters. So, if my key was "£$%& £$%&*", attempting to execute the command
simply results in OpenSSL giving a "£$%&* not found" error.
Adding the quotes didn't work because, if I understand things correctly, the
notion of quotes (or escaping characters with \) is a shell concept - hence my
attempt to force the command to run under a shell.
> > But no joy. I believe this may be because Java does not run the command
> > within a shell.
> > I can try to force the use of the shell:
> > Runtime.getRuntime().exec("/bin/bash", "-c", "openssl", "dgst",
> > "-sha256",
> > "-hmac", "\"" + new String(key) + "\"", "-binary"); But now my piped
> > message either seems to get interpreted as an openssl command
> > (so I just get something like "&%$£&$ is an invalid command" followed
> > by a list of the standard openssl commands) or I get an "unexpected EOF
> > while looking for matching `"'" error.
> You don't need a shell, but if you want one, -c takes the entire command
> (line) as the single next argument. Your call is telling bash to do just
> "openssl", so it runs openssl with no arguments, and openssl tries to
> interpret stdin. Here you WOULD need " around non-text key so shell parses
> it correctly, and I think actually ' if it contains $ or ` which shell does
> interpret inside ", and I think you need to \ any quote or \ in it. I would
> avoid that.
Yes, I tried various permutations - including passing the openssl command as a
single parameter to the shell, and preceding each character of the key with an
escaping '\' - but no luck!
Ultimately I settled on the use of a shell script to act as an intermediary:
#!/bin/bash
/usr/local/ssl/fips-1.0/bin/openssl dgst -sha256 -hmac "`cat $1`" -binary
My Java code then writes the key to a file, and then invokes the scripts
passing the filename as a parameter. The Java code can then pipe the message
through and collect the MAC before deleting the key file.
I don't really like having to write the key to disk, but I couldn't make it
work any other way.
Incidentally, the simple approach (simply passing the key as a parameter,
regardless of its content) worked flawlessly under Windows (using non-FIPS
OpenSSL).
Alistair.
Please help Logica to respect the environment by not printing this email /
Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail
/ Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei
die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não
imprimindo este correio electrónico.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
