On Thu, Oct 01, 2009, Michael D. Adams wrote: > How would I securely compute a MAC for a file? The obvious way > (below) has a security leak as it puts the key on the command line > which other users could easily observe with "ps -f". > > $ openssl dgst -sha1 -hmac <key> <file> > > I would have thought that something like "openssl enc" has with "-pass > file:<keyfile>" would be available, but I haven't been able to find an > equivalent for "openssl dgst" (even the 1.0beta's "-macopt" flag > doesn't do this). > > Am I missing something here? What is the proper way to compute a MAC > on the command line? >
Well the openssl utility is a test utility and if you really want something secure you should write a custom program. Writing one for hmac shouldn't take more than a few lines. For 1.0.0 MAC support is included which treats it as a signature algorithm where the "key" just happens to be an unstructured stream of bytes. You can even use pseudo pem files which can be "generated". For example: openssl genpkey -algorihm hmac -pkeyopt key:hello -out hmac.pem openssl sha1 -sign hmac.pem -hex somefilename The actual "key" is just the base64 encoded MAC key with headers included. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
