Script in bash to get all certificates names in a directory - linux

I'm creating a script in bash that uses the command:
openssl x509 -in <cert> -noout -text | grep 'Issuer\|Not After' | sed -e 's/^[ \t]*//'
and check all certificate files in the directory, I used the command
ls -l | grep .crt | cut -d " " -f11 > test.txt
to get the following certificate list:
client.crt
client1.crt
client12.crt
client2.crt
client3.crt
server12.crt
server2.crt
however when I run:
for i in test.txt;do openssl x509 -in $i -noout -text | grep 'Issuer|Not After' | sed -e 's/^[ \t]*//';done
I get the following output:
unable to load certificate
140075503359296:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

You're not iterating over the files listed in your test.txt, your executing openssl against that very file.
What you really want to do is this:
while read -r i
do
openssl x509 -in "$i" -noout -text | grep 'Issuer|Not After' | sed -e 's/^[ \t]*//'
done < test.txt
P.S.: I did not verify that your openssl magic works, just fixed the loop logic.

Related

Linux command piping in openssl to use string input

I have a shell script where a file path $path have some text which I encrypt as below and it works:
content_sha256="$(openssl dgst -binary -sha256 < $path | openssl enc -e -base64)";
The value of variable content_sha256 works correctly.
Now, I have a string $body which I want to encrypt. I am trying below but it gives me entirely different result.
content_sha256="$(echo $body | openssl dgst -sha256 | openssl enc -e -base64)";
Am I piping something wrong or option for openssl should be different?
Correct answer below
content_sha256="$(echo $body | openssl dgst -binary -sha256 | openssl enc -e -base64)";
Points to note:
Include -binary option.
Instead of redirection of file content as input, use echo $body with pipe .

How to get key only with openssl command?

How can I just retrieve the key value only with openssl command below?
$ openssl enc -aes-128-cbc -k secret -P -md sha1
Output:
salt=9EFF5E41E21EA17F
key=D0F15A0E51C29FA9E7AC1B63DC4585D3
iv =F0090A64ADB51DE25A28151B0C55DAEA
Thanks!
Use grep and sed in pipes:
$ openssl enc -aes-128-cbc -k secret -P -md sha1 | grep key | sed 's/.*=//'
The grep command filters out lines without "key".
The sed command replaces all characters from the start up to and including the = with nothing (deleting them).
Use the -nosalt option to suppress the use of a salt in the key derivation. But consider that this is not recommended. Note that this key derivation method is also not recommended, especially with sha1.
Anyway, with awk:
$ openssl enc -aes-128-cbc -nosalt -k secret -P -md sha1 |
awk -F= '$1 == "key" {print $2}'
2BB80D537B1DA3E38BD30361AA855686

JWT Signature HS256 - different result on linux and website

I'm trying to write small linux utility for development purposes that works with JWT signatures.
Problem: linux secret and secret from jwt.io website are different.
I'm using default data from https://jwt.io/#debugger-io and HS256.
Example:
# hmac256
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | hmac256 secret
> 4c9540f793ab33b13670169bdf444c1eb1c37047f18e861981e14e34587b1e04
# openssl
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | openssl dgst -sha256 -hmac secret
> (stdin)= 4c9540f793ab33b13670169bdf444c1eb1c37047f18e861981e14e34587b1e04
# Key from website
# TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Found answer, result of hash utilities should be in binary format and also in base64 encoding.
So working commands are:
echo -n "{header}.{payload}" | hmac256 --binary secret | base64
echo -n "{header}.{payload}" | openssl dgst -sha256 -binary -hmac secret | base64
Example:
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | hmac256 --binary secret | base64
> TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ=
$ echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9" | openssl dgst -sha256 -binary -hmac secret | base64
> TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ=

permission denied trying to download certificate from webstie using openssl, sudo

I want to download ssl certificate in my linux server for which I am using this command
echo -n | openssl s_client -connect HOST:PORTNUMBER | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$SERVERNAME.cert
I need help in using sudo for the above command, I tried adding sudo at the start but its failing with permission denied, need help with using sudo when using sed in command.
Why do you need sudo(1) to do this? Your example works fine for me accessing www.oracle.com:443 like this:
echo -n | openssl s_client -connect www.oracle.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Generating a SHA-256 hash from the Linux command line

I know the string "foobar" generates the SHA-256 hash c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2 using
http://hash.online-convert.com/sha256-generator
However the command line shell:
hendry#x201 ~$ echo foobar | sha256sum
aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f -
Generates a different hash. What am I missing?
echo will normally output a newline, which is suppressed with -n. Try this:
echo -n foobar | sha256sum
If you have installed openssl, you can use:
echo -n "foobar" | openssl dgst -sha256
For other algorithms you can replace -sha256 with -md4, -md5, -ripemd160, -sha, -sha1, -sha224, -sha384, -sha512 or -whirlpool.
If the command sha256sum is not available (on Mac OS X v10.9 (Mavericks) for example), you can use:
echo -n "foobar" | shasum -a 256
echo -n works and is unlikely to ever disappear due to massive historical usage, however per recent versions of the POSIX standard, new conforming applications are "encouraged to use printf".
echo produces a trailing newline character which is hashed too. Try:
/bin/echo -n foobar | sha256sum
For the sha256 hash in base64, use:
echo -n foo | openssl dgst -binary -sha256 | openssl base64
Example
echo -n foo | openssl dgst -binary -sha256 | openssl base64
C+7Hteo/D9vJXQ3UfzxbwnXaijM=
Use printf instead of echo to avoid adding an extra newline.
printf foobar | sha256sum
For an arbitrary string, the %s format specifier should be used.
printf '%s' 'somestring' | sha256sum
I believe that echo outputs a trailing newline. Try using -n as a parameter to echo to skip the newline.

Resources