Re: [naviserver-devel] What to do when [ns_base64encode] doesn't encrypt properly after the 63rd char?

Tue, 26 May 2020 00:27:52 -0700 

Iuri,

The nsc_crypto::hmac performs the HMAC  (Keyed-Hashing for
Message Authentication) as specified in RFC 2104, using a symmetric
key provided via argument.

The HMAC can be verified the same way as a plain digest (without a secret):
If a received HMAC (or digest) should be verified, it must be recomputed.
In the case of the HMAC, the receiver has to know the secret.

I see no need for an extra API call:

===========================================================================
set secret_key "foobar1234"
set data "This is my data"

set HMAC [ns_crypto::hmac string -digest sha256 $secret_key $data]

#
# To verify a received HMAC , one needs the key and the data as well
#
if { $HMAC eq [ns_crypto::hmac string -digest sha256 $secret_key $data] } {
   ns_log notice "Data verified"
}
===========================================================================

The ns_crypto interface provides as well the interface based on key files
(PEM files) provided for "ns_crypto::md". In the case of the pem
files, it is more effort to extract keys, since there exists several
algorithms, key types etc., which are in specified inside the PEM
files. Therefore, this interface works for multiple key types,
include RSA and elliptic curves.

In this variant,  the message key can be signed with

   set sig [::ns_crypto::md string ... -sign PEM ...]

and verified with

   ::ns_crypto::md string ... -verify PEM -signature $sig ...

Below is the example from the man page.

all the best
-gn

===========================================================================
% set sig [::ns_crypto::md string \
             -digest sha1 \
             -encoding binary \
             -sign /usr/local/src/naviserver/myprivate.pem \
             "abcdefghijklmnopqrstuxvwxyz\n"]
% set vfy [::ns_crypto::md string \ 
             -digest sha1 \
             -verify /usr/local/src/naviserver/myprivate.pem \
             -signature $sig \
             "abcdefghijklmnopqrstuxvwxyz\n"]
1
===========================================================================




_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to