In Python 3.8, on Windows, I want to run this command from a Python script:
openssl.exe req -out server2.csr -newkey rsa:4096 -nodes -keyout server2.priv.key -config server2.cnf
Notice that it has 6 arguments. If you count each item separated by a space, there are 10 items after openssl.
The code below works, but it's very tedious. For every item that's separated by a space in the command, I have to separate it by quotes and commas in the code.
subprocess.run(['openssl', 'req', '-out', 'server2.csr', '-newkey', 'rsa:4096', '-nodes', '-keyout', 'server2.priv.key', '-config', 'server2.cnf'])
What I really want is something like this:
argument = 'req -out ' + servername + '.csr -newkey rsa:4096 -nodes -keyout ' + servername + '.priv.key -config ' + configfile
subprocess.run(['openssl', argument])
Is there a way in Python to combine all the arguments into one string? That way seems a lot easier to manage.
how about using a combination of f-strings and string manipulation?
argument = f'req -out {servername}.csr -newkey rsa:4096 -nodes -keyout {servername}.priv.key -config {configfile}'
command = f'openssl {argument}'.split(' ') # generate a list of space separated entries
subprocess.run([command])
Related
I am trying to create new arrow key bindings in TMUX which is running on a Linux machine. I ssh to that machine from my Mac (Mojave 10.14.6) using the Terminal. These are all combinations that I added in ~/.tmux.conf:
# Use Shift-Arrow to move between panes
bind -T root C-Left select-pane -L
bind -T root C-Right select-pane -R
bind -T root C-Up select-pane -U
bind -T root C-Down select-pane -D
# Use Alt-Shift Left/Right to switch between tabs
bind -T root M-C-Left previous-window
bind -T root M-C-Right next-window
# Use Alt-Shift Up/Down to create/close a tab
bind -T root M-C-Up new-window
bind -T root M-C-Down kill-pane
It works for Ctrl+Left and Ctrl+Right, but not for the others. For the Up/Down arrow combinations it always goes through the Terminal history, so I think that Terminal is overriding these bindings. However, I can not find where it does so, I removed all relevant combinations from Preferences -> Profiles -> Keyboard and also from System Preferences -> Keyboard -> Shortcuts. For the M-C-Left/Right nothing happens.
I believe the TERM variable is set correctly:
TERM=xterm-256color
TERM_PROGRAM=Apple_Terminal
TERM_PROGRAM_VERSION=421.2
TERM_SESSION_ID=782B88DE-A8DA-4542-8428-F9D5C1EF6386
The key bindings are also listed when calling tmux list-keys. When pressing the combinations in cat, I get:
cat
^[[A (Ctrl+Up)
^[[B (Ctrl+Down)
^[^[[C (Ctrl+Option+Right)
^[^[[D (Ctrl+Option+Left)
^[^[[A (Ctrl+Option+Up)
^[^[[B (Ctrl+Down)
In the TMUX server log, key bindings seem to be loaded properly. An excerpt when starting TMUX and then trying the key bindings:
1629805569.985046 server started, pid 16654
1629805569.985178 continuing cmdq 0x55797a7cedb0: flags=0, client=-1
1629805569.985192 cmdq 0x55797a7cedb0: bind-key C-b send-prefix
1629805569.985217 continuing cmdq 0x55797a7cedb0: flags=0, client=-1
...
1629805569.986939 socket path /tmp/tmux-1038/default
1629805569.987071 new client 7
1629805569.987113 loading /home/zimmerl/.tmux.conf
1629805569.987142 /home/zimmerl/.tmux.conf: # Move status bar to the top
1629805569.987148 /home/zimmerl/.tmux.conf: set-option -g status-position top
1629805569.987159 /home/zimmerl/.tmux.conf:
1629805569.987165 /home/zimmerl/.tmux.conf: # Change colors
1629805569.987178 /home/zimmerl/.tmux.conf: set -g status-fg green
1629805569.987190 /home/zimmerl/.tmux.conf: set -g status-bg black
1629805569.987201 /home/zimmerl/.tmux.conf:
1629805569.987208 /home/zimmerl/.tmux.conf: # Use Shift-Arrow to move between panes
1629805569.987215 /home/zimmerl/.tmux.conf: bind -T root C-Left select-pane -L
1629805569.987228 /home/zimmerl/.tmux.conf: bind -T root C-Right select-pane -R
1629805569.987239 /home/zimmerl/.tmux.conf: bind -T root C-Up select-pane -U
1629805569.987251 /home/zimmerl/.tmux.conf: bind -T root C-Down select-pane -D
1629805569.987262 /home/zimmerl/.tmux.conf:
1629805569.987269 /home/zimmerl/.tmux.conf: # Use Alt-Shift Left/Right to switch between tabs
1629805569.987276 /home/zimmerl/.tmux.conf: bind -T root M-C-Left previous-window
1629805569.987288 /home/zimmerl/.tmux.conf: bind -T root M-C-Right next-window
1629805569.987299 /home/zimmerl/.tmux.conf:
1629805569.987306 /home/zimmerl/.tmux.conf: # Use Alt-Shift Up/Down to create/close a tab
1629805569.987313 /home/zimmerl/.tmux.conf: bind -T root M-C-Up new-window
1629805569.987323 /home/zimmerl/.tmux.conf: bind -T root M-C-Down kill-pane
1629805569.987330 /home/zimmerl/.tmux.conf:
1629805569.987335 /home/zimmerl/.tmux.conf: # Use Ctrl+b -> h/v to split current pane horizontally/vertically
1629805569.987340 /home/zimmerl/.tmux.conf: bind -T prefix h split-window -h -c "#{pane_current_path}"
1629805569.987354 /home/zimmerl/.tmux.conf: bind -T prefix v split-window -v -c "#{pane_current_path}"
1629805569.987369 continuing cmdq 0x55797a7d4c80: flags=0, client=-1
1629805569.987375 cmdq 0x55797a7d4c80: set-option -g status-position top
1629805569.987390 cmdq 0x55797a7d4c80: set-option -g status-fg green
1629805569.987399 cmdq 0x55797a7d4c80: set-option -g status-bg black
1629805569.987408 cmdq 0x55797a7d4c80: bind-key -T root C-Left select-pane -L
1629805569.987421 cmdq 0x55797a7d4c80: bind-key -T root C-Right select-pane -R
1629805569.987434 cmdq 0x55797a7d4c80: bind-key -T root C-Up select-pane -U
1629805569.987446 cmdq 0x55797a7d4c80: bind-key -T root C-Down select-pane -D
1629805569.987457 cmdq 0x55797a7d4c80: bind-key -T root M-C-Left previous-window
1629805569.987469 cmdq 0x55797a7d4c80: bind-key -T root M-C-Right next-window
1629805569.987480 cmdq 0x55797a7d4c80: bind-key -T root M-C-Up new-window
1629805569.987490 cmdq 0x55797a7d4c80: bind-key -T root M-C-Down kill-pane
1629805569.987504 cmdq 0x55797a7d4c80: bind-key -T prefix h split-window -h -c #{pane_current_path}
1629805569.987518 cmdq 0x55797a7d4c80: bind-key -T prefix v split-window -v -c #{pane_current_path}
1629805569.987529 unref client 7 (2 references)
1629805569.987553 event dispatch enter
1629805569.987591 got 100 from client 7
...
1629805569.987882 continuing cmdq 0x55797a7d3940: flags=0, client=7
1629805569.987891 cmdq 0x55797a7d3940: new-session
1629805569.987901 new term: xterm-256color
1629805569.988166 xterm-256color override: XT
1629805569.988178 xterm-256color override: Ms \033]52;%p1%s;%p2%s\a
1629805569.988187 xterm-256color override: Cs \033]12;%p1%s\a
1629805569.988194 xterm-256color override: Cr \033]112\a
1629805569.988202 xterm-256color override: Ss \033[%p1%d q
1629805569.988209 xterm-256color override: Se \033[2 q
1629805569.988248 new key \033Oo: 0x103c (KP/)
1629805569.988255 new key \033Oj: 0x103d (KP*)
1629805569.988261 new key \033Om: 0x103e (KP-)
1629805569.988267 new key \033Ow: 0x103f (KP7)
1629805569.988273 new key \033Ox: 0x1040 (KP8)
1629805569.988280 new key \033Oy: 0x1041 (KP9)
1629805569.988286 new key \033Ok: 0x1042 (KP+)
1629805569.988292 new key \033Ot: 0x1043 (KP4)
1629805569.988297 new key \033Ou: 0x1044 (KP5)
1629805569.988302 new key \033Ov: 0x1045 (KP6)
1629805569.988307 new key \033Oq: 0x1046 (KP1)
1629805569.988313 new key \033Or: 0x1047 (KP2)
1629805569.988319 new key \033Os: 0x1048 (KP3)
1629805569.988325 new key \033OM: 0x1049 (KPEnter)
1629805569.988330 new key \033Op: 0x104a (KP0)
1629805569.988337 new key \033On: 0x104b (KP.)
1629805569.988342 new key \033OA: 0x1038 (Up)
1629805569.988347 new key \033OB: 0x1039 (Down)
1629805569.988354 new key \033OC: 0x103b (Right)
1629805569.988359 new key \033OD: 0x103a (Left)
1629805569.988365 new key \033[A: 0x1038 (Up)
1629805569.988370 new key \033[B: 0x1039 (Down)
1629805569.988377 new key \033[C: 0x103b (Right)
1629805569.988384 new key \033[D: 0x103a (Left)
1629805569.988390 new key \033OH: 0x1033 (Home)
1629805569.988396 new key \033OF: 0x1034 (End)
1629805569.988402 new key \033[H: 0x1033 (Home)
1629805569.988408 new key \033[F: 0x1034 (End)
1629805569.988413 new key \033Oa: 0x5038 (C-Up)
1629805569.988420 new key \033Ob: 0x5039 (C-Down)
1629805569.988427 new key \033Oc: 0x503b (C-Right)
1629805569.988432 new key \033Od: 0x503a (C-Left)
1629805569.988438 new key \033[a: 0x9038 (S-Up)
1629805569.988444 new key \033[b: 0x9039 (S-Down)
1629805569.988450 new key \033[c: 0x903b (S-Right)
1629805569.988457 new key \033[d: 0x903a (S-Left)
...
1629805569.989201 replacing key \033OH: 0x1033 (Home)
1629805569.989206 replacing key \033OF: 0x1034 (End)
...
1629805569.989229 replacing key \033OA: 0x1038 (Up)
1629805569.989236 replacing key \033OB: 0x1039 (Down)
1629805569.989242 replacing key \033OD: 0x103a (Left)
1629805569.989247 replacing key \033OC: 0x103b (Right)
...
1629805569.989292 new key \033[1;2B: 0x9039 (S-Down)
1629805569.989297 new key \033[1;3B: 0x3039 (M-Down)
1629805569.989303 new key \033[1;4B: 0xb039 (M-S-Down)
1629805569.989308 new key \033[1;5B: 0x5039 (C-Down)
1629805569.989314 new key \033[1;6B: 0xd039 (C-S-Down)
1629805569.989319 new key \033[1;7B: 0x7039 (C-M-Down)
...
1629805569.989546 new key \033[1;2C: 0x903b (S-Right)
1629805569.989551 new key \033[1;3C: 0x303b (M-Right)
1629805569.989557 new key \033[1;4C: 0xb03b (M-S-Right)
1629805569.989567 new key \033[1;5C: 0x503b (C-Right)
1629805569.989574 new key \033[1;6C: 0xd03b (C-S-Right)
1629805569.989580 new key \033[1;7C: 0x703b (C-M-Right)
1629805569.989943 new key \033[1;2A: 0x9038 (S-Up)
1629805569.990239 new key \033[1;3A: 0x3038 (M-Up)
1629805569.990245 new key \033[1;4A: 0xb038 (M-S-Up)
1629805569.990830 new key \033[1;5A: 0x5038 (C-Up)
1629805569.991122 new key \033[1;6A: 0xd038 (C-S-Up)
1629805569.991440 new key \033[1;7A: 0x7038 (C-M-Up)
1629805569.991544 #0 alerts flags added 0x2
1629805569.991559 spawn: /bin/bash --
...
1629805580.564176 event dispatch enter
1629805580.970822 keys are 3 (\033[A)
1629805580.970848 complete key \033[A 0x1038
1629805580.970859 session 0 not pasting
1629805580.970867 writing key 0x1038 (Up)
1629805580.970873 found key 0x1038: "\033[A"
1629805580.970884 event dispatch exit
....
1629805581.064643 event dispatch enter
1629805582.965826 keys are 3 (\033[B)
1629805582.965857 complete key \033[B 0x1039
1629805582.965870 session 0 not pasting
1629805582.965879 writing key 0x1039 (Down)
1629805582.965887 found key 0x1039: "\033[B"
1629805582.965900 event dispatch exit
Just try to reload the config.
Kill definitely your tmux (tmux kill-server) and launch it with:
tmux source-file ~/.tmux.conf
or simply load the config in tmux command mode (Ctrl+B):
:source-file ~/.tmux.conf
I think you should kill existing sessions after changing the configuration of tmux.
tmux kill-server
Now you can create new sessions which will have Changed configurations.
The default terminal schemes map the left and right arrow keys to control codes, which is why they work.
The up and down arrow keys aren't mapped to control codes, which seems to be why tmux isn't picking them up.
I got this to work by modifying my scheme (Preferences > Profiles > Keyboard) to send the control codes for all the arrow keys.
I have the fingerprint 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6 and I want to download the public key to verify the archive.
I'd like to download the key from terminal, and I try to use that command:
gpg --search-keys "71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6"
And I get this result
gpg: data source: https://keys.openpgp.org:443
(1) 2048 bit RSA key 74810B012346C9A6, created: 2011-08-24
Keys 1-1 of 1 for "71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6".
Enter number(s), N)ext, or Q)uit > n
Then I use recv-key
gpg --recv-key 74810B012346C9A6
Result:
gpg: key 74810B012346C9A6: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
I did some research and I tried again with:
gpg --keyserver keyserver.ubuntu.com --recv 74810B012346C9A6
result:
gpg: key 74810B012346C9A6: public key "Wladimir J. van der Laan <laanwj#visucore.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
With the command list-keys I can see that result:
gpg --list-keys
pub rsa2048 2011-08-24 [SC] [expires: 2022-02-10]
71A3B16735405025D447E8F274810B012346C9A6
uid [ unknown] Wladimir J. van der Laan <laanwj#visucore.com>
uid [ unknown] Wladimir J. van der Laan <laanwj#gmail.com>
uid [ unknown] Wladimir J. van der Laan <laanwj#protonmail.com>
sub rsa2048 2017-05-17 [S] [expires: 2022-02-10]
sub rsa2048 2017-05-17 [A] [expires: 2022-02-10]
sub rsa2048 2011-08-24 [E]
Now, I tried to do the verification
gpg --verify SHA256SUMS.asc
result:
gpg: Signature made Sun Nov 24 10:14:42 2019 CET
gpg: using RSA key 90C8019E36C2E964
gpg: Can't check signature: No public key
I tried to download the public key form https://bitcoin.org/en/full-node#mac-os-x-yosemite-1010x and https://keys.openpgp.org (with fingerprint) But I Get different values.
This question was asked over 1 year ago, but I'll answer anyway in case it helps someone:
First, at step:
Enter number(s), N)ext, or Q)uit > n
You should've typed 1 to import that key. That would've imported it right away, so you wouldn't have to use --recv-keys later.
But the real reason the verification failed is because the key you imported is different from the key used to sign the file. As you can read from the link you posted:
Earlier releases were signed by Wladimir J. van der Laan’s regular key. That key’s fingerprint is: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6.
So you imported an old key. The correct one is exactly there:
The 0.11 and later releases are signed by Wladimir J. van der Laan’s releases key with the fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964.
Finally, the key you imported is marked as [ unknown] because you haven't signed it. You can do that by using gpg --sign-key <user-id>, so it will be marked as [ full ], meaning you trust it.
Import keys from gist.github.com/laanwj/8368525bba4d89488dd5a0418884d91d
while read line; do gpg --keyserver keyserver.ubuntu.com --recv-key ${line:0:41}; done < keys.txt | curl -fsSL https://gist.githubusercontent.com/laanwj/8368525bba4d89488dd5a0418884d91d/raw/0ff5573bf5c0b932d2ca567f77fadf038816c7b8/keys.txt -o keys.txt
I have created a key, and created a subkey. With a subkey, I signed a file. Verification works. Revoked the key, verification does not hold. This is the expected behavior.
However, If I try to sign with the same subkey and verify it still works. What am I doing wrong? Here is what am I doing in full:
$ gpg --gen-key
$ gpg -k
/Users/mustafa/.gnupg/pubring.kbx
---------------------------------
pub rsa2048 2019-02-03 [SC] [expires: 2021-02-02]
5DD923FBCF6392A5CB366167D4C0627A07510C6C
uid [ultimate] Mustafa <mustafa91#gmail.com>
sub rsa2048 2019-02-03 [E] [expires: 2021-02-02]
Using edit key, add a subkey.
$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
gpg> addkey
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
ssb rsa2048/38616BDAE66E418C
created: 2019-02-03 expires: 2019-02-13 usage: S
[ultimate] (1). Mustafa <mustafa91#gmail.com>
gpg> q
Save changes? (y/N) y
Sign a file and verify it.
$ gpg --armor --detach-sign --default-key 38616BDAE66E418C test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:49:43 2019 +03
gpg: using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]
Revoke the key with message "This key is now in the hands of the enemy."
$ gpg --edit-key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg> key 2
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
ssb* rsa2048/38616BDAE66E418C
created: 2019-02-03 expires: 2019-02-13 usage: S
gpg> revkey
sec rsa2048/D4C0627A07510C6C
created: 2019-02-03 expires: 2021-02-02 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/E058B91696C43666
created: 2019-02-03 expires: 2021-02-02 usage: E
The following key was revoked on 2019-02-03 by RSA key D4C0627A07510C6C Mustafa <mustafa91#gmail.com>
ssb rsa2048/38616BDAE66E418C
created: 2019-02-03 revoked: 2019-02-03 usage: S
[ultimate] (1). Mustafa <mustafa91#gmail.com>
Try to verify the old signature and see it fails.
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:49:43 2019 +03
gpg: using RSA key 485FC77FC73DA3B800C7F41538616BDAE66E418C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]
gpg: WARNING: This subkey has been revoked by its owner!
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: This key is now in the hands of the enemy.
However, trying to sign with revoked key.
$ rm test.key.asc
$ gpg --armor --detach-sign --default-key 38616BDAE66E418C test.txt
gpg: using "38616BDAE66E418C" as default secret key for signing
Why does it not fail? How can it be verified?
$ gpg --verify test.txt.asc test.txt
gpg: Signature made Sun Feb 3 21:53:11 2019 +03
gpg: using RSA key 5DD923FBCF6392A5CB366167D4C0627A07510C6C
gpg: Good signature from "Mustafa <mustafa91#gmail.com>" [ultimate]
Look at your last two excerpts. Despite the fact that you specified the default signing key to be 38616BDAE66E418C, when you do the verify it reports having been signed with D4C0627A07510C6C.
If you utilize the -v verbose option of gpg, you will see that if the specified default key is revoked, it falls back to the next usable signing key.
To illustrate this, I recreated your scenario:
sec rsa2048/4E5CB15076F1318E
created: 2019-02-09 expires: 2021-02-08 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/3303CBB274AECA3B
created: 2019-02-09 expires: 2021-02-08 usage: E
The following key was revoked on 2019-02-09 by RSA key 4E5CB15076F1318E Herp Derp <herp#derp.com>
ssb rsa2048/8ABD3900E64E7972
created: 2019-02-09 revoked: 2019-02-09 usage: S
[ultimate] (1). Herp Derp <herp#derp.com>
Signing with subkey prior to revoking:
$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: using subkey 8ABD3900E64E7972 instead of primary key 4E5CB15076F1318E
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "8ABD3900E64E7972 Herp Derp <herp#derp.com>"
Signing with subkey after revoking:
$ gpg -v --armor --detach-sign --default-key 8ABD3900E64E7972 test.txt
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: using pgp trust model
gpg: using "8ABD3900E64E7972" as default secret key for signing
gpg: Note: signature key 8ABD3900E64E7972 has been revoked
gpg: writing to 'test.txt.asc'
gpg: RSA/SHA256 signature from: "4E5CB15076F1318E Herp Derp <herp#derp.com>"
You can see that in the second example, gpg identifies the subkey as revoked and falls back to the primary key.
I ran this script below:
#!/bin/bash
keyFile=video.key
openssl rand 16 > $keyFile
encryptionKey=$(cat $keyFile | hexdump -e '16/1 "%02x"')
splitFilePrefix=stream
encryptedSplitFilePrefix=enc/${splitFilePrefix}
numberOfTsFiles=$(ls ${splitFilePrefix}*.ts | wc -l)
for (( i=1; i<$numberOfTsFiles; i++ ))
do
initializationVector=printf '%032x' $i
openssl aes-128-cbc -e -in ${splitFilePrefix}$i.ts -out ${encryptedSplitFilePrefix}$i.ts -nosalt -iv $initializationVector -K $encryptionKey
done
right after the execution, the bash gives me an error:
./script.sh: line 14: fg: no job control
unknown option '9d268d620c68938b4578c3f299c91a1a'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-S salt in hex is the next argument
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-nopad disable standard block padding
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb
-aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr
-aes-128-ecb -aes-128-gcm -aes-128-ofb
-aes-128-xts -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-gcm -aes-192-ofb
-aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cfb
-aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr
-aes-256-ecb -aes-256-gcm -aes-256-ofb
-aes-256-xts -aes128 -aes192
-aes256 -bf -bf-cbc
-bf-cfb -bf-ecb -bf-ofb
-blowfish -camellia-128-cbc -camellia-128-cfb
-camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb
-camellia-128-ofb -camellia-192-cbc -camellia-192-cfb
-camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb
-camellia-192-ofb -camellia-256-cbc -camellia-256-cfb
-camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb
-camellia-256-ofb -camellia128 -camellia192
-camellia256 -cast -cast-cbc
-cast5-cbc -cast5-cfb -cast5-ecb
-cast5-ofb -des -des-cbc
-des-cfb -des-cfb1 -des-cfb8
-des-ecb -des-ede -des-ede-cbc
-des-ede-cfb -des-ede-ofb -des-ede3
-des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1
-des-ede3-cfb8 -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-id-aes128-GCM -id-aes192-GCM -id-aes256-GCM
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
-rc4-hmac-md5 -seed -seed-cbc
-seed-cfb -seed-ecb -seed-ofb
I read openssl manual and thought either -K or -iv part is wrong, but couldn't figure out which option and why is it wrong
Your problem is that this line:
initializationVector=printf '%032x' $i
Should look like this:
initializationVector=$(printf '%032x' $i)
It made initializationVector empty.
You can find it out if you add set -x at the top, and then see exactly what is the command line you're attempting to run.
before fixing it looked like this:
openssl aes-128-cbc -e -in stream1.ts -out enc/stream1.ts -nosalt -iv -K 7aeb2faae0289b9828b2994f50a4cc3a
which made openssl command think that -K is the value for the -iv option, and the key itself is another command option.
Hence the error: unknown option '7aeb2faae0289b9828b2994f50a4cc3a' (in my case).
do
initializationVector=printf '%032x' $i
openssl aes-128-cbc -e -in ${splitFilePrefix}$i.ts -out ${encryptedSplitFilePrefix}$i.ts \
-nosalt -iv $initializationVector -K $encryptionKey
done
You are missing the leading dash on the cipher. Try -aes-128-cbc instead. From the enc(1) docs:
SYNOPSIS
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A]
[-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p]
[-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
I am trying to activate IMA appraisal & EVM modules.
After compiling linux kernel 3.10.2 on my bt5R3 and setting kernel boot option in a first time like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=fix ima_appraise_tcb evm=fix"
and after running this command to generate xattr security.ima and security.evm
find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec head -c 1 '{}' \;
like this:
GRUB_CMDLINE_LINUX="rootflags=i_version ima_tcb ima_appraise=enforce ima_appraise_tcb evm=enforce"
I try to create digital signature of xattr like it's recommended on this tutorial
Tutorial to IMA & EVM
Every steps have been followed, creating RSA keys, loading them early at boot in initramfs with keyctl.
Session Keyring
-3 --alswrv 0 65534 keyring: _uid_ses.0
977514165 --alswrv 0 65534 \_ keyring: _uid.0
572301790 --alswrv 0 0 \_ user: kmk-user
126316032 --alswrv 0 0 \_ encrypted: evm-key
570886575 --alswrv 0 0 \_ keyring: _ima
304346597 --alswrv 0 0 \_ keyring: _evm
However as soon as I reboot my OS when I try to read a signed and hashed file I get the error "Permission Denied"
Running dmesg tells me :
[ 5461.175996] type=1800 audit(1375262160.913:57): pid=1756 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="**invalid-HMAC**" comm="sh" name="/root/Desktop/new.sh" dev="sda1" ino=546526 res=0
Have you any idea why i get invalid HMAC ?
They keys are loaded like the tutorial says...
#!/bin/sh -e
PREREQ=""
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
grep -q "ima=off" /proc/cmdline && exit 1
mount -n -t securityfs securityfs /sys/kernel/security
IMA_POLICY=/sys/kernel/security/ima/policy
LSM_POLICY=/etc/ima_policy
grep -v "^#" $LSM_POLICY >$IMA_POLICY
# import EVM HMAC key
keyctl show |grep -q kmk || keyctl add user kmk "testing123" #u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" #u
#keyctl revoke kmk
# import Module public key
mod_id=`keyctl newring _module #u`
evmctl import /etc/keys/pubkey_evm.pem $mod_id
# import IMA public key
ima_id=`keyctl newring _ima #u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm #u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
# enable module checking
#echo "1" > /sys/kernel/security/module_check
Thanks for your help
Solved, new kernel use HMAC v2 and you have to activate asymmetric key when you compile kernel.
cat .config should have this entries:
CONFIG_EVM_HMAC_VERSION=2
CONFIG_ASYMMETRIC_KEY_TYPE=y
Then when you hash or sign a file use
evmctl -u - -x --imasig/--imahash $file
As well you should have create the asymetric keys and load them in _evm and _ima keyring with keyctl with initramfs.