Re: openssl hmac and key on the command line

2024-06-09 Thread Viktor Dukhovni
On Sat, Jun 08, 2024 at 08:12:57AM -0400, Neil Horman wrote: > > I see someone at > > https://github.com/openssl/openssl/issues/13382#issuecomment-1181577183 > > with a similar concern suggested -macopt keyfile:file The requested feature (explicit keyfile option) makes sense to me. Is there a mo

Re: openssl hmac and key on the command line

2024-06-08 Thread Carson Gaspar
On 6/8/2024 5:12 AM, Neil Horman wrote: printf '%s' "hello" | LD_LIBRARY_PATH=$PWD ./apps/openssl dgst -sha1 -hmac $(cat key.txt) SHA1(stdin)= c3b424548c3dbd02161a9541d89287e689f076d7 That will expose the key in the process args, so is NOT secure. -- Carson

Re: openssl hmac and key on the command line

2024-06-08 Thread Neil Horman
the openssl-mac utility already contains such a option (though it doesn't circumvent the issue as the option for the key is also passed on the command line) It seems some bash magic solves this problem though. By putting your key in a file, you can use command substitution to solve this: nhorman

Re: openssl hmac and key on the command line

2024-06-08 Thread Stephane Chazelas
2024-06-08 08:43:26 +0100, Stephane Chazelas: [...] > Would it be possible to have a: -macopt keyenv:varname and > -macopt keyexenv:varname for instance to be able to pass the > secret via environment variables instead (which on most systems > are a lot less public than command arguments)? [...] I

Re: openssl hmac and key on the command line

2024-06-08 Thread Stephane Chazelas
2022-08-07 18:20:56 +0200, Francois: [...] > I am reading some doc instructing me to run > > printf '%s' "${challenge}" | openssl dgst -sha1 -hmac ${APP_TOKEN} > > Doing so would leak the APP_TOKEN on the command line arguments (so a > user running a "ps" at the right time would see the APP_T