2022-08-07 18:20:56 +0200, Francois:
[...]
> I am reading some doc instructing me to run
>
> printf '%s' "${challenge}" | openssl dgst -sha1 -hmac ${APP_TOKEN}
>
> Doing so would leak the APP_TOKEN on the command line arguments (so a
> user running a "ps" at the right time would see the APP_TOKEN in
> clear). Due to my machine setup, programs started and their arguments
> also end up in an audit log.
>
> I am reading the documentation on
> https://www.openssl.org/docs/manmaster/man1/openssl-dgst.html, that
> points at the preferred
> https://www.openssl.org/docs/manmaster/man1/openssl-mac.html
> , and all
> the examples have the key in clear text on the command line.
>
> Is there an equivalent command I can run that will not leak the key?
[...]
Hello,
I had the exact same concern and found this post by Francois in
the mailing list archives.
I see it was never answered.
Does it mean there is currently no safe way to pass the hmac
secret to the openssl utility to do HMAC in shell scripts?
Would it be possible to have a: -macopt keyenv:varname and
-macopt keyexenv:varname for instance to be able to pass the
secret via environment variables instead (which on most systems
are a lot less public than command arguments)?
I'd generally welcome any move to deprecate all APIs that rely
on passing secrets on the command line.
Best regards,
Stephane
