HMAC SHA-256 for a signed AWS request - bash

EDIT: The issue is that I'm using hex encoded strings as the keys and I should be using raw bytes. How can I get the raw bytes out of the openssl command?
--- Original question ---
I'm attempting to follow the instructions for creating a signed iam request found here: https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html.
It basically says to produce the signing key and signature you follow these steps:
signing key = HMAC(HMAC(HMAC(HMAC("AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY","20150830"),"us-east-1"),"iam"),"aws4_request")
signature = HexEncode(HMAC(signing key, "AWS4-HMAC-SHA256\n20150830T123600Z\n20150830/us-east-1/iam/aws4_request\nf536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"))
I've created the following shell script as a test:
#!/usr/bin/env bash
set -euo pipefail
stringToSign="AWS4-HMAC-SHA256\n20150830T123600Z\n20150830/us-east-1/iam/aws4_request\nf536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"
dateKey=$(echo -n "20150830" | openssl dgst -sha256 -hmac "AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY")
regionKey=$(echo -n "us-east-1" | openssl dgst -sha256 -hmac "$dateKey")
serviceKey=$(echo -n "iam" | openssl dgst -sha256 -hmac "$regionKey")
signingKey=$(echo -n "aws4_request" | openssl dgst -sha256 -hmac "$serviceKey")
echo "signing key: $signingKey"
signature=$(echo -n "$stringToSign" | openssl dgst -sha256 -hmac "$signingKey")
echo "signature: $signature"
The output is:
signing key: 8c028f7953b7f2b9fa6d2e816f7b15675dc2329c139e293b383759c5ba8af679
signature: 9fd29d6aaac30d0747da90c23a4b883a8bc02b439f35df255fa2f93f6c99f46f
dateKey is 45fb073b035485bb42f64d8d242984f3431d02e31c35ba4b661d31bbec45378d
However the document linked above says that it should be:
signing key: c4afb1cc5771d871763a393e44b703571b55cc28424d1a5e86da6ed3c154a4b9
signature: 5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
How can I produce the correct key and signature?
EDIT -- openssl version:
$ openssl version -a
LibreSSL 2.6.5
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

How can I get the raw bytes out of the openssl command?
Use -binary option. From manpage for openssl dgst:
openssl dgst [-cd] [-binary] [-digest] [-hex] [-hmac key] ...
-binary
Output the digest or signature in binary form.
To get the correct signature, I also had to replace the \n characters in the string to sign with actual newline characters.
Working script:
#!/usr/bin/env bash
set -euo pipefail
stringToSign="AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59"
dateKey=$(echo -n "20150830" | openssl dgst -sha256 -binary -hmac "AWS4wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY")
regionKey=$(echo -n "us-east-1" | openssl dgst -sha256 -binary -hmac "$dateKey")
serviceKey=$(echo -n "iam" | openssl dgst -sha256 -binary -hmac "$regionKey")
signingKey=$(echo -n "aws4_request" | openssl dgst -sha256 -binary -hmac "$serviceKey")
signature=$(echo -n "$stringToSign" | openssl dgst -sha256 -hmac "$signingKey")
echo "signature: $signature"
# signature: 5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

Related

How to use openssl to output encrypted/decrypted message to stdout

I am just trying to encrypt/decrypt a password with the shell (non-interactively - it's for an automated script). I am following this example:
https://superuser.com/a/20552/362669
I tried converting it to this so that it doesn't use a file output.bin to store the encrypted text:
#!/usr/bin/env bash
cd `dirname "$BASH_SOURCE"`
# generate a 2048-bit RSA key and store it in key.txt
openssl genrsa -out key.txt 2048
# encrypt "hello world" using the RSA key in key.txt
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt -encrypt)"
echo "encrypted: $encrypted"
# decrypt the message and output to stdout
decrypted="$(echo "$encrypted" | openssl rsautl -inkey key.txt -decrypt)"
echo "decrypted: $decrypted";
but all I get is this garbully-guk:
Generating RSA private key, 2048 bit long modulus
........................................................................................................................+++
............................+++
e is 65537 (0x10001)
��◆J��┌ܥײ��R▒��%⎽F�� 1l�}�%��?�0���+��%���C�8|_/!�A"Ꜵ:�������.��W2Pras��1���� ��(�a
��]�[�남␍◆�=┬─�з≤�ɦ�;�└�1MFP��^␋�#D� �T_⎺F�Eπ�2��U2Ÿ┌π��N│�� ⎽��_\2�� 8V��%��(�^���␍4�#�π���*^D ���/�└�
RSA ⎺⎻␊⎼▒├␋⎺┼ ␊⎼⎼⎺⎼
4662363756:␊⎼⎼⎺⎼:04FFF06B:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:␉┌⎺␌┐ ├≤⎻␊ ␋⎽ ┼⎺├ 02:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␤␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_⎻┐1.␌:185:
4662363756:␊⎼⎼⎺⎼:04FFF072:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:⎻▒␍␍␋┼± ␌␤␊␌┐ °▒␋┌␊␍:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␤␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_␊▒≤.␌:580:
␍␊␌⎼≤⎻├␊␍:
▒┌␊│⎽-└▒␌:␋┼├␊⎼⎺⎽ ▒┌␊│$
and my shell session is basically messed up.
Anyone know what that is? Maybe it's outputting characters that the shell can't handle?
Update: if I don't log the encrypted value, then I get this:
Generating RSA private key, 2048 bit long modulus
........................+++
..........+++
e is 65537 (0x10001)
RSA operation error
4558829164:error:04FFF06B:rsa routines:CRYPTO_internal:block type is not 02:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_pk1.c:185:
4558829164:error:04FFF072:rsa routines:CRYPTO_internal:padding check failed:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_eay.c:580:
decrypted:
I think the best idea would be to convert the binary to/from base64.
Just pipe output through a "openssl base64" to command to enable and "openssl base64 -d" command to decode.
so:
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt
-encrypt | openssl base64)"
and
decrypted="$(echo "$encrypted" | openssl base64 -d | openssl rsautl
-inkey key.txt -decrypt)"

Openssl CSR Creation with -subj is failing

I'm having a Scirpt and I'm trying to create a self signed Cert:
openssl ecparam -genkey -name secp384r1 -out /etc/nginx/ssl/${MYDOMAIN}.key.pem >/dev/null 2>&1
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
openssl req -x509 -days 365 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -in /etc/nginx/ssl/csr.pem -out /etc/nginx/ssl/${MYDOMAIN}.pem >/dev/null 2>&1
The creation of the CSR should be silent due to the -subj paramter, but it's not working at all with this line:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm receiving an error like this:
[INFO] Creating self-signed SSL certificates...
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute O, skipped
No value provided for Subject Attribute OU, skipped
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
It was working in that way, before I updated Openssl to 1.1.0...
With:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem subj "/C=DE/ST=Berlin/L=Berlin/O=Privat/OU=Privat/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm getting this error:
[INFO] Creating self-signed SSL certificates...
unknown option subj
req [options] outfile
where options are
[...]

Creating certificate to sign GDB on Mac OS X from bash

I am trying to install gdb on Mac OS X by following link1 and link2. This process is done in four steps:
installing gdb using brew install gdb
creating a certificate
sign gdb using codesign -s [cert-name] [your-gdb-location]
How can I automate step 2 in a bash script?
This is my final code (based on here, here and here):
cat > myconfig.cnf << EOF
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = VENTOS
countryName = XX
localityName = Fun Land
organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
stateOrProvinceName = YY
emailAddress = ssl-admin#example.com
name = John Doe
surname = Doe
givenName = John
initials = JXD
dnQualifier = some
[ my server exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
echo "generating the private key ..."
openssl genrsa -des3 -passout pass:foobar -out server.key 2048
echo ""
echo "generating the CSR (certificate signing request) ..."
openssl req -new -passin pass:foobar -passout pass:foobar -key server.key -out server.csr -config myconfig.cnf -extensions 'my server exts'
echo ""
echo "generating the self-signed certificate ..."
openssl x509 -req -passin pass:foobar -days 6666 -in server.csr -signkey server.key -out server.crt -extfile myconfig.cnf -extensions 'my server exts'
echo ""
echo "convert crt + RSA private key into a PKCS12 (PFX) file ..."
openssl pkcs12 -export -passin pass:foobar -passout pass:foobar -in server.crt -inkey server.key -out server.pfx
echo ""
echo "importing the certificate ..."
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
Now you can see the certificate listed in System keychains:
To sign gdb
sudo codesign -s VENTOS "$(which gdb)"

Padding errors using OpenSSL for encrypt/decrypt with Keys extracted from Digital Cert

I am using some command line Open SSL commands to encrypt and decrypt data using Public and Private keys extracted from a Digital Cert. When I try to decrypt I get PKCS padding errors. Can someone tell me where I'm going wrong?
These are the command I've been using:
a) Extract Public key: openssl x509 -pubkey -noout -in xxxxx.cer > xxxxxpublickey.pem
b) Extract Private Key:openssl pkcs12 -in xxxxxx.pfx -nocerts -out xxxxxprivatekey.pem -nodes
c) Encypt a key (.bin file): openssl enc -aes-256-cbc -in kenkey.bin -out kenkey_Key -pass file:xxxxxpublickey.pem
d) Decrypt key produced in c) openssl rsautl -decrypt -hexdump -in kenkey_key -inkey xxxxxprivatekey.key -out aeskey.txt
This produces errors like this:
RSA operation error 3248:error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding
error:.\crypto\rsa\rsa_pk1.c:273: 3248:error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:602:

openssl smime in ruby/rails

So, i have this application that creates a zip file with images and stuff
and i want to sign it using smime.
if i use the terminal command:
openssl smime -binary -sign -passin "pass:MYPASS" -signer ./MyCertificate.pem -inkey ./MyKey.pem -in ./manifest.in -out ./signature.out -outform DER
Formated:
openssl smime -binary -sign -passin "pass:MYPASS" \
-signer ./MyCertificate.pem -inkey ./MyKey.pem \
-in ./manifest.in -out ./signature.out -outform DER
the manifest.in is the file witch contains the text to be signed and signature.out is the output file.
i don't know a lot about signing but i believe this code is signing my file using PKCS7
how can i recreate the same result with ruby/rails?
i have tried to look in the documentation of OpenSSL but i couldn't find anything usefull for me
EDIT
if this helps someone,
this is what the documentation says
i need to build a:
A detached PKCS#7 signature of the manifest
Found a way.
like this:
require 'secure_digest'
def sign_manifest(manifest = {})
manifest_str = manifest.to_json
key4_pem = File.read Rails.root.join("lib", "keys", "key.pem")
pass_phrase = "supera"
key = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
cert = OpenSSL::X509::Certificate.new File.read Rails.root.join("lib", "keys", "certificate.pem")
sign = OpenSSL::PKCS7.sign(cert, key, manifest_str, nil, OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOATTR | OpenSSL::PKCS7::DETACHED).to_der
sign
end
Just to clarify my code, manifest param is a hash witch i want to sign it using this code. if i want another item, like a image, string or file i just need do read it as string

Resources