Hi Dave - thanks for your reply! -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 06 February 2009 00:29 To: openssl-users@openssl.org Subject: RE: OpenSSL command line HMAC
> > From: owner-openssl-us...@openssl.org On Behalf Of Young, Alistair > > Sent: Wednesday, 04 February, 2009 09:52 > > I seem to have some success if I place quotes around the [Linux] > > command > line: > > $ cat message.bin | openssl dgst -sha256 -hmac "`cat key.bin`" -binary > > > mac.bin > (Don't need cat here, just < on the openssl. But that's not your question.) Yes, indeed - this just struck me as the closest analog to what I'm doing in Java: writing the message to the process's input stream. (In fact, from the command line I think that you can just supply the message file as a parameter without need for piping or redirection). > > But, to complicate things further, I'm trying to invoke this from Java. > > So I have something like: > > byte[] key = ....; > > Runtime.getRuntime().exec("openssl", "dgst", "-sha256", "-hmac", > > "\"" + new String(key) + "\"", "-binary"); I then pipe my message in, > > and collect the output from the output stream. > In the Java I have (SDK5=jre1.6.0_02) I can't Runtime.exec multiple strings > like that, I have to put them in an array with {}. (Or a single String, but > then I'm not sure whose parsing rules are used and when.) With a String [], > don't add quotes around the key value. In a shell command, " ' \ are processed > by the shell before being passed to the program. As are the ` above. > Then it works for me. You're right about the array, of course - this was some poorly transcribed code! :) Without the quotes, if my hmac key contains a space or tab character, it seems that somewhere along the way, the two halves of the key are treated as separate parameters. So, if my key was "£$%& £$%&*", attempting to execute the command simply results in OpenSSL giving a "£$%&* not found" error. Adding the quotes didn't work because, if I understand things correctly, the notion of quotes (or escaping characters with \) is a shell concept - hence my attempt to force the command to run under a shell. > > But no joy. I believe this may be because Java does not run the command > > within a shell. > > I can try to force the use of the shell: > > Runtime.getRuntime().exec("/bin/bash", "-c", "openssl", "dgst", > > "-sha256", > > "-hmac", "\"" + new String(key) + "\"", "-binary"); But now my piped > > message either seems to get interpreted as an openssl command > > (so I just get something like "&%$£&$ is an invalid command" followed > > by a list of the standard openssl commands) or I get an "unexpected EOF > > while looking for matching `"'" error. > You don't need a shell, but if you want one, -c takes the entire command > (line) as the single next argument. Your call is telling bash to do just > "openssl", so it runs openssl with no arguments, and openssl tries to > interpret stdin. Here you WOULD need " around non-text key so shell parses > it correctly, and I think actually ' if it contains $ or ` which shell does > interpret inside ", and I think you need to \ any quote or \ in it. I would > avoid that. Yes, I tried various permutations - including passing the openssl command as a single parameter to the shell, and preceding each character of the key with an escaping '\' - but no luck! Ultimately I settled on the use of a shell script to act as an intermediary: #!/bin/bash /usr/local/ssl/fips-1.0/bin/openssl dgst -sha256 -hmac "`cat $1`" -binary My Java code then writes the key to a file, and then invokes the scripts passing the filename as a parameter. The Java code can then pipe the message through and collect the MAC before deleting the key file. I don't really like having to write the key to disk, but I couldn't make it work any other way. Incidentally, the simple approach (simply passing the key as a parameter, regardless of its content) worked flawlessly under Windows (using non-FIPS OpenSSL). Alistair. Please help Logica to respect the environment by not printing this email / Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não imprimindo este correio electrónico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org