openssl hmac and key on the command line

[Neil Horman]

the openssl-mac utility already contains such a option (though it doesn't
circumvent the issue as the option for the key is also passed on the
command line)

It seems some bash magic solves this problem though.  By putting your key
in a file, you can use command substitution to solve this:

nhorman at fedora:~/git/worktrees/windows$ printf '%s' "hello" |
LD_LIBRARY_PATH=$PWD ./apps/openssl dgst -sha1 -hmac
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
SHA1(stdin)= c3b424548c3dbd02161a9541d89287e689f076d7

printf '%s' "hello" | LD_LIBRARY_PATH=$PWD ./apps/openssl dgst -sha1 -hmac
$(cat key.txt)
SHA1(stdin)= c3b424548c3dbd02161a9541d89287e689f076d7

Getting the key into the file without landing in the audit log is of course
an exercise left to the user

Neil


On Sat, Jun 8, 2024 at 7:05 AM Stephane Chazelas <stephane at chazelas.org>
wrote:

> 2024-06-08 08:43:26 +0100, Stephane Chazelas:
> [...]
> > Would it be possible to have a: -macopt keyenv:varname and
> > -macopt keyexenv:varname for instance to be able to pass the
> > secret via environment variables instead (which on most systems
> > are a lot less public than command arguments)?
> [...]
>
> I see someone at
> https://github.com/openssl/openssl/issues/13382#issuecomment-1181577183
> with a similar concern suggested -macopt keyfile:file
>
> --
> Stephane
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240608/b7123cec/attachment.htm>