6

I'm trying to use openssl to create a cryptographic hash of a file using HMAC-SHA-256. I'm confused as to why I'm seeing a 'no such file or directory' error on the output.

The key I'm using is in a file called mykey.txt.

This is my command:

openssl dgst -sha256 -hmac -hex hexkey:$(cat mykey.txt) -out hmac.txt /bin/ps

And the output

enter image description here

Improve this question
0

3 Answers 3

Reset to default
12

-hmac takes the key as an argument (see manual), so your command asks for an HMAC using the key -hex. hexkey:... is taken as a filename, since it doesn't start with a dash, and openssl doesn't take options after filenames, so the following -out is also a filename.

To get the HMAC with a key given as a hex string, you'll need to use -mac hmac and -macopt hexkey:<key>. Note that using -hmac <key> and -mac hmac together doesn't work, and -macopt requires -mac hmac.

Test:

openssl dgst -sha256 -hmac abc <<< "message"
openssl dgst -sha256 -hmac abc -macopt hexkey:12345678 <<< "message"
openssl dgst -sha256 -mac hmac -macopt hexkey:616263 <<< "message"
perl -MDigest::HMAC=hmac_hex -MDigest::SHA=sha256 \
    -le 'print(hmac_hex("message\n", "abc", \&sha256))'

All give the hash 99592e56fcde028fb41882668b0cbfa0119116f9cf111d285f5cedb000cfc45a which agrees with a random online HMAC calculator for message message\n, key abc or 616263 in hex. (Note the newline at the end of message here.)

So, it seems you'd probably want

openssl dgst -sha256 -mac hmac -macopt hexkey:$(cat mykey.txt) -out hmac.txt /bin/ps

Since we're talking about cryptography, which is hard; and OpenSSL, which doesn't always have the most easy-to-use interfaces, I would suggest also verifying everything yourself, at least twice, instead of taking my word for it.

Improve this answer
3

openssl dgst -sha256 -hmac -hex -macopt hexkey:$(cat mykey.txt) -out hmac.txt /bin/ps

Improve this answer
4
  • At least on the OpenSSL (1.1.0f) on my system, that's exactly the same as if -macopt hexkey... was left out. That is, it calculates the HMAC using the key -hex, instead of using the parameter to -macopt. Commented May 20, 2018 at 18:49
  • Well, the question was "why am I seeing the error" - broken command arguments flow is often an irritating showstopper for further work. But sure, you're answer covers this much wider. Commented May 20, 2018 at 19:51
  • If all we care about is removing the immediate error message, then the command could have been reduced to just openssl dgst -sha256 -hmac -hex -out hmac.txt /bin/ps (or even further). That's probably not very useful, but at least it doesn't throw errors. Commented May 20, 2018 at 20:31
  • It's not about removing the error message by stepping back, but showing how to pass the hexkey argument itself. Commented May 20, 2018 at 20:44
0

my 2 cents if You are on iOS (or Mac OS...) tired of messing around I wrote it..

https://apps.apple.com/it/app/hmac-sha256generator/id6448465719?l=en

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.