-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 07 February 2009 01:59 To: openssl-users@openssl.org Subject: RE: OpenSSL command line HMAC
> > Without the quotes, if my hmac key contains a space or tab character, > > it seems that somewhere along the way, the two halves of the key are > > treated as separate parameters. So, if my key was "£$%& £$%&*", > > attempting to execute the command simply results in OpenSSL giving a > > "£$%&* not found" error. > > > Are those pounds in 8859-1, as posted? I don't use any non-US charsets here > and so can't easily test that, but with "$%& $%&*" (minus quotes) it (still) > works for me. (I previously lazily tested on my local Windows instead of > Linux, but this time to be certain I used a convenient Linux box, which > actually has an older jre, 1.5.0_06-b05 .) Sorry - those were intended to be indicative of non-printable characters. The actual key is a string of bytes, effectively chosen at random (i.e. in the range 0x00-0xff). > <snip> > > Incidentally, the simple approach (simply passing the key as a > > parameter, regardless of its content) worked flawlessly under Windows > > (using non-FIPS OpenSSL). > > > That makes me really suspicious. I wonder if it might be an issue with > high-half signed characters somewhere, or Unicode encoding, or such. > Could you try passing the desired arguments to instead a simple program > that just shows you exactly what it's getting, something like: > [snip] Yes, I think you've hit the nail on the head there. One of the problems seems to lie in the byte[] -> String conversion. In some test code I have a block like this: byte[] key = {... 32 bytes ...} String keyString = new String(key); System.out.println(key.length); System.out.println(keyString.length()); Under Windows, for my test key, key.length and keyString.length are both 32. Under Linux, the former is 32, but the latter is 29. I can (try to) force the same encoding: String keyString = new String(key, "Cp1252"); Now the lengths match, but the resulting hash differs between Linux and Windows (and from the test data I'm using, I know that the Windows hash is correct). If the key contains a zero-byte, then the command fails under both Linux and Windows. Ultimately, I've opted for Steffan's suggestion, with the Java code generating an escaped character sequence and passing this to a bash script. As far as I can determine, there's no way of forcing Java to produce a String which contains exactly the desired set of bytes. Thanks to everyone for the suggestions. Alistair. Please help Logica to respect the environment by not printing this email / Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não imprimindo este correio electrónico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org