In Node.js I use following code
hash = crypto.createHmac('sha256', SECRET).update(file).digest('hex');
to calculate HMAC. However Linux command line analog produces different hash code:
> openssl sha256 -hmac "SECRET" file
What is wrong in command line? What are correct arguments?
Related
In Linux, I have a file 'signature.bin' with a binary RSA signature, and I would like to get a web-safe variant of it of base64.
How can I do it with the shell?
There is a base64 command in the GNU Coreutils. So simply
base64 signature.bin
should do the trick.
I'm using Mac OS 10.13.3. I'm trying to base64 encode a binary file but am having some issues. Specifically, I thought all base64 encoded files have to have a length that is a multiple of 4. However, when I encode my file, notice taht the length is not divisible by 4 ...
localhost:lib davea$ openssl base64 -in myfile.binary -out ~/Downloads/myfile.base64
localhost:lib davea$ ls -al ~/Downloads/myfile.base64
-rw-r--r-- 1 davea staff 93162 May 31 14:22 /Users/davea/Downloads/myfile.base64
Also when I look at the contents of the base64 file, I don't see the traditional "=" or "==" at the end, which usually indicates padding
localhost:lib davea$ cat ~/Downloads/myfile.base64
...
C9vgMjoKSQYkXMLTrGKRleR558g3bY3VTqlsVvTqZXquCLp4JS4cprTG6N10H0u9
i4pwPrVmSAP2DmE1V7mGwR2e4fiYEWnZjpSbHofpzlUo34yhiQ2/5kJoQZktD7BU
uxYBAgQIECBAgBs2
Am I doing something wrong, or is there another way to base64 encode my file?
OK. I believe we were over thinking this quite a bit. Here is what you are looking for to get the desired behavior:
openssl base64 -A -in myfile.binary -out ~/Downloads/myfile.base64
This will convert to base64 without any line endings. The -A option is what does the trick.
Am I doing something wrong,
No
or is there another way to base64 encode my file?
Yes, you can use base64. It takes a parameter to specify line length but is otherwise similar, the equivalent to your command is:
base64 -b 64 -i myfile.binary -o ~/Downloads/myfile.base64
Also when I look at the contents of the base64 file, I don't see the traditional "=" or "==" at the end, which usually indicates padding
Base64 maps 3 input bytes to 4 output bytes. Your file is 93162 bytes which is divisible by 3, so no padding required.
HTH
I need to call openssl from a binary, I wrote xml text in a popen( ) call to a script embedding openssl
I get a problem if my binary fails during writing, openssl ends succesfully to write my file, but when I decode I get a truncated file.
I would like to check at the end of openssl call if the received stream ends with "< /myEndTag>"
Context: my binary must never write a file not encrypted, I would like not to openssl decode
here is an example, to illustrate (thanks to comments, this is not a valid statement, just a way to make you get an idea):
echo "blablaf foo bar" | openssl -out file.crypt | grep -E "bar$"
then, if grep has found "bar$", my file.crypt is good
I found a solution fitting my needs:
my script now use a tee to tail before openssl
tee >(tail -n2 > ${checkfile} ) | /usr/bin/openssl enc -aes-256-cbc -out ${outfile} -e -K ${KEY} -iv ${KEYOPTION}
grepping my end xml tag in the checkfile which only contains 2 lines is secure enough.
As I mentionned, checking openssl return code is not enough since I write to openssl via a popen statement.
If my binary hangs while he is writing, it seems the streams goes to openssl, which find his end, no matter if it's the real end or a broken stream. openssl finely make a valid encrypted output file with the truncated content.
I'am facing a problem, in AIX platform, we use a command to generate checksum:
Sample:
exec 0<list
while read line
do
openssl md5 $line >> checksum.out
done
But this last for a long time. I find out that our cpus still have free resources.
It's the openssl md5 running multithread? If not how can I let it run by multithread, or using other method to speed up it.
Best Regards
Void
If I understand correctly from the answer and comments of this question, it can't be done as there are dependencies between the steps in the hashing algorithm (and I guess OpenSSL would have a multithreaded implementation if it was generally possible).
However you could always parallelize the tasks by starting n instances of openssl md5 in parallel.
For example (assuming n = 4 threads)
while read line; do
openssl md5 $line >> checksum.out0 &
openssl md5 $(read) >> checksum.out1 &
openssl md5 $(read) >> checksum.out2 &
openssl md5 $(read) >> checksum.out3
done
The last one should not run in the background if you want to keep the exact number of threads running at the same time. Also you may want to make sure that the different lines take about the same time to complete so you don't end up with race conditions.
Also this example is not really tested (using $(read)), and there are probably better ways to do it (for example let each instance write its output to a separate file and then concatenate them all afterwards - e.g. cat checksum.out* > checksum.out), but it should be enough of an idea to help you get started.
EDIT:
I just tested and read works the way I hoped, so by making a new output file for each instance of openssl md5 with incremented numbers at the end (for example by including a counter variable) you can just add an extra line at the end of the script to cat the outputs into a single file.
Resulting script:
exec 0<list
COUNT=0
while read line; do
openssl md5 $line >> checksum.out$((COUNT++)) &
openssl md5 $(read) >> checksum.out$((COUNT++)) &
openssl md5 $(read) >> checksum.out$((COUNT++)) &
openssl md5 $(read) >> checksum.out$((COUNT++))
done
cat checksum.out* > checksum.out
Should do the trick (just remember to clean up all the temporary files afterwards...)
I'am looking for a tool that can compute a AES128 CMAC as a command line. Openssl does not seem to offer this feature with the command line. Did I miss something, or do you know a command line tool that can perform this computation?
Using newer OpenSSL (1.0.1 I think), you could do:
openssl dgst -mac cmac -macopt cipher:aes-128-cbc -macopt hexkey:11223344556677889900112233445566 -sha1 <file>
Choose the cipher with -macopt cipher:<cipher> option and the hash with -<hash>.
[sweep over old questions]
Looked in source of openssl, but could not find it either. There is a patch available for openssl (search for peter, ibm and openssl) but you will have to test it against the latest and rebuild. OpenSSL is a very useful but horribly maintained library/tool.
If there is another tool that does AES/CMAC, it's very good at hiding as well.