openssl dgst add support for reading the hmac key from a file

[sharad1126]

openssl dgst -sha256 -hmac ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 q1.txt

where the ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 is the sha256 key and q1.txt is the cipher text in base64 gives a different value as compared to when you give the sha256 key in a file instead like:

openssl dgst -sha256 -hmac key.txt q1.txt

I am not sure why this happens but mostly it's an issue where the HMAC-SHA256 returns a different value. Also, to confirm, the first command gives the correct HMAC-SHA256 and the second one gives a wrong tag. It would be great if someone from OpenSSL contributors can take a look and explain why this happens?

[kroeckx]

My guess is that your key.txt file contains a newline, which becomes part of the key.

[sharad1126]

@kroeckx I can assure you it doesn't has any whitespaces including a new line.

[kroeckx]

And you checked that using something like hexdump or xxd?

[sharad1126]

yeah, I did.

[paulidale]

openssl dgst -sha256 -hmac key.txt q1.txt

Won't this use the string key.txt as the key?

How about: openssl dgst -sha256 -hmac "$(cat -n key.txt)" q1.txt ?

[sharad1126]

this also gives a very different tag using key.txt

[paulidale]

My mistake, openssl dgst -sha256 -hmac "$(cat key.txt)" q1.txt

I mixed up cat and echo options.

[mattcaswell]

The -hmac option expects an argument which is the key. Note this is not the key in hex format. It is the exact key that is to be used. So in your case the string "ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8" vs the string "key.txt" are clearly different strings and therefore you will get different results. @paulidale's solution might do the job - but the question I have is: are the contents of that file the string "ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8" or is the binary data represented by that hex value? To get the same results the key needs to be the string not the binary data.

[sharad1126]

@paulidale but this command is basically doing similar to providing the hex key directly as in openssl dgst -sha256 -hmac ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 q1.txt because you cat the key file and give the value. It does works as expected but why can't we give the key.txt directly as a parameter?

@mattcaswell the content of the key.txt is exactly equal to ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 and therefore I don't understand why openssl dgst -sha256 -hmac key.txt q1.txt fails to work.

[mattcaswell]

ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 and therefore I don't understand why openssl dgst -sha256 -hmac key.txt q1.txt fails to work.

Because the -hmac option does not read a file. It reads the key from the command line. There is no option to get the hmac key from a file. So in this case you are using the filename as the key (not the contents of the file).

[kroeckx]

I think he's actually using "-in" as key.

[sharad1126]

ad12d06829e909e10404c7beca0b93504b4f987294f5300f6d68bb78af8407b8 and therefore I don't understand why openssl dgst -sha256 -hmac key.txt q1.txt fails to work.

Because the -hmac option does not read a file. It reads the key from the command line. There is no option to get the hmac key from a file. So in this case you are using the filename as the key (not the contents of the file).

In this case, can I ask for a feature request then: It would be nice if -hmac takes key in the file! Would be better so that almost all features work in a same way i.e. taking key in a file.

[richsalz]

It would be nice if -hmac takes key in the file! Would be better so that almost all features work in a same way i.e. taking key in a file.

What is the format of that file? Binary or base64 or hexbin? If base64 or hexbin, ignore newlines?

[richsalz]

This issue should be renamed "request key in file" or something.

[ap-wtioit]

currently running openssl dgst -sha256 -hmac "$secret" -binary < contents.txt exposes the secret in /proc. it would be ideal if something like this was supported for dgst:
openssl aes-256-cbc -e -pbkdf2 --pass file:<(echo "$secret") -in "contents.txt"
e.g.:
openssl dgst -sha256 -mac hmac -macopt keyfile:<(echo -n "$secret") -binary < contents.txt

[nhorman]

It seems like we have duplicate issues here. Can we close this as a duplicate request of #24584