I'm trying to encrypt some form data with OpenSSL on Windows and I'm having a hard time figuring out what's the correct syntax. With the following command, OpenSSL returns a PKCS7 message, but still gives me a & was unexpected at this time message.
(openssl smime -sign -signer client-public.pem -inkey client-private.pem -outform der -nodetach -binary^
formkey1=formvalue1^
formkey2=formvalue2^
formkey3=formvalue3^
^
^
) | openssl smime -encrypt -des3 -binary -outform pem server-public.pem
I feel like my pipeline is causing some problem in there but I have no idea what I should do to have a clean, error-free result.
There is no need to split it into multiple lines.
So you should first test if it works on a single line.
Then you could use the multiline caret, but don't forget to add a space in the next line, else it will paste the complete text together without any delimiters.
And the caret just before the closing parenthesis, will fail, as a multiline caret escapes the first character of the next line, so your closing parenthesis will not close anything.
This should work
(openssl smime -sign -signer client-public.pem -inkey client-private.pem -outform der -nodetach -binary^
formkey1=formvalue1^
formkey2=formvalue2^
formkey3=formvalue3^
^
^
) | openssl smime -encrypt -des3 -binary -outform pem server-public.pem
Related
I'd like to replace a variable in a script template by a public and private certificate.
For example, I've generated a harbor.crt public certificate and a harbor.key private key with the following command:
sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /data/harbor.key -out /data/harbor.crt -subj "/CN=$LOCAL_IP" -addext "subjectAltName=IP:127.0.0.1,IP:$LOCAL_IP"
In a template script, I've the following variables I'd like to replace with the above files:
CFG_HARBOR_CRT="CRT" # Harbor registry certificate
CFG_HARBOR_KEY="KEY" # Harbor registry key
To replace those values, I've tried to do something like that:
HARBOR_CRT=`sudo cat /data/harbor.crt`
HARBOR_KEY=`sudo cat /data/harbor.key`
sudo sed -i "s/CFG_HARBOR_CRT\=\"[^\"]*\"/CFG_HARBOR_CRT\=\"$HARBOR_CRT\"/g" ./template-script.sh
sudo sed -i "s/CFG_HARBOR_KEY\=\"[^\"]*\"/CFG_HARBOR_KEY\=\"$HARBOR_KEY\"/g" ./template-script.sh
But both commands failed on: sed: -e expression #1, char 70: unterminated s' command`
Is there a way to use sed command with unescaped variables ?
I suspect there's info missing here. Why use sed at all?
For the simple case, just replace the markers with file reads.
CFG_HARBOR_CRT="$(</data/harbor.crt)"
CFG_HARBOR_KEY="$(</data/harbor.key)"
That might mean you need to run the whole script with elevated priv's though, so I understand why you might not want to do that.
...do you need root to read those files?
If so, and if you don't want the whole script run as root, maybe this:
$: sed 's,^CFG_HARBOR_CRT="CRT",CFG_HARBOR_CRT="$(sudo cat /data/harbor.crt)",
s,^CFG_HARBOR_KEY="KEY",CFG_HARBOR_KEY="$(sudo cat /data/harbor.key)",' tmpf
CFG_HARBOR_CRT="$(sudo cat /data/harbor.crt)" # Harbor registry certificate
CFG_HARBOR_KEY="$(sudo cat /data/harbor.key)" # Harbor registry key
Switching / to , as the demarcation reduces leaning toothpick syndrome.
Switching `...` to $(...) improves flexibility, stability, readability, etc.
Pulling out of comments to get better visibility ...
Consider running the files through base64 and embedding the result into the script, then on the other end run base64 -d to decrypt the data and store in the target files.
Using base64 encoded data should eliminate most (all?) of the sed headaches of dealing with special characters and/or trying to find a sed script delimiter that's not in the data.
OP/Manitoba's reply comment:
That did the trick. I used HARBOR_CRT=$(sudo cat /data/harbor.crt | base64 -w 0) to convert certificate to B64 and echo $CFG_HARBOR_CRT | base64 --decode to decode.
I have generated a public/private keypair with OpenSSL. I want to use the private key now to sign my message using OpenSSL, and I was thinking to stay in a bash environment. I am required to use SHA-RSA1.
So far, I was suggested the following code but I am not happy with it:
openssl.exe dgst -sha1 -sign C:\...\path\to\key\privatekey.pem -binary C:\...\path\to\message\message.txt
I don't want to have my message be stored in a file (message.txt) to generate a signature and in any case, I would need to use openssl base64 afterwards to get the base64 representation.
Is there a more proper way to achieve what I want (and a one liner would be great)?
Use openssl itself to encode base64
echo "$msg" | openssl dgst ... -binary | openssl enc -base64
I have a pipe condition as:
if true | openssl s_client -connect $SSL_URL | openssl x509 -noout -dates -checkend 0 | grep 'notAfter';
now I want to take the value returned from grep 'notAfter' in a shell variable how can I do that.
I have tried this
if true | openssl s_client -connect $SSL_URL | openssl x509 -noout -dates -checkend 0 | A=$("grep 'notAfter'");
but it is not working.
You are probably looking for
if A=$(openssl s_client -connect "$SSL_URL" </dev/null |
openssl x509 -noout -dates -checkend 0 |
grep 'notAfter')
then
:
This assigns the output of the pipeline to the variable A, and checks the result code from grep; if it succeeded (i.e. a match was found) the then branch of the conditional is taken.
The pipe from true is odd and unconventional; I imagine the purpose of that was to make sure it doesn't receive anything useful on standard input. The usual way to do that is to redirect stdin to come from /dev/null so I'm doing that instead.
Finally, notice also the proper quoting of the variable. If SSL_URL would happen to contain a shell metacharacter, you would get an error or in the worst case a security problem.
I am trying to get a base64 encoded sha1 hash in a windows batch file.
The first thing I tried was with perl:
perl -M"Digest::SHA1 qw(sha1_base64)" -e "open(F,shift) or die; binmode F; print sha1_base64(<F>), qq(=\n)" "test.mxf"
This works great, but only for small files. With big files it says "Out of memory".
Then I downloaded an openssl version for windows and tried this:
"C:\openssl.exe" dgst -sha1 -binary -out "hash_sha1.txt" "C:\test.mxf"
set /p hash_sha1=<"hash_sha1.txt"
del "hash_sha1.txt"
echo !hash_sha1!
echo -n '!hash_sha1!' | "C:\openssl.exe" enc -base64
But the output of the openssl method is different from the Perl output and I know that the Perl method produces the correct output. What do I have to change?
There's no -n parameter of echo so -n AND single quotes are part of the output.
The intermediate files and variables aren't needed, use piping.
The entire code:
openssl dgst -sha1 -binary "C:\test.mxf" | openssl enc -base64
If you create a Digest::SHA1 object, you can use the add method to calculate the hash incrementally
There is also no need to explicitly open files passed as command-line parameters. They are opened automatically using the built-in file handle ARGV, and can be read with the empoty diamond operator <>
perl -Mopen=IN,:raw -MDigest::SHA1 -e"$d=Digest::SHA1->new; $d->add($_) while <>; print $d->b64digest, qq{=\n}" 5GB.bin
This command line was quite happy to generate the SHA1 hash of a 5GB file, but if you are unlucky enough to have a very big file that contains no linefeeds then you will have to set a read block size with something like
local $/ = \(1024*1024)
I am trying to decrypt a video file using openssl. But 16 byte aes key has a line feed (LF) character in it.
x
yÏï:YÛI?þbl
Because of the LF, when I copy the key to the terminal, it sends only "x" not the whole key.
How can I type this key on terminal?
openssl aes-128-cbc -d -in input.ts -out output.ts -pass [aes_key]
Try parameter -K
from openssl help:
-K/-iv key/iv in hex is the next argument
So something like this should work
openssl aes-128-cbc -d -in input.ts -out output.ts -K 00EF45....
where 00EF45.... will be your aes key in hexadecimal format.