Fastest path to Lua SHA256 RFC-2104 compliant HMAC signature? - c

I'm running Debian Linux, and for a Lua script I need to create a SHA256 checksum to authenticate requests to Amazon Web Services. They don't say for sure but it looks as if they may want a base64 encoding of the resulting SHA256 checksum.
I'd be happy if someone had done a Lua binding.
I'd be content if someone could help me figure out how to use the command-line /usr/bin/sha256sum for this purpose.
I'd settle for a pointer to C code and deal with the hassle of the binding and the base64 encoding myself.
I surely don't need to reimplement SHA256 for myself; if someone has an implementation in ANSI standard C that they like, please let me know. Or a better solution!

How about LuaCrypto, a front-end for OpenSSL:
http://luacrypto.luaforge.net/

It looks like mushclient has already written a Lua wrapper for a SHA-256 library.

A work-around might be the free signing service at http://apisigning.com/

Related

How to encode/decode ASN.1 streams with OpenSSL?

I need an API to encode/decode an ASN.1 stream. I've read that OpenSSL supports this in C and I have access to it in my project, though I don't know how to actually use these functions. I effectively need to decode a struct, a SEQUENCE. Can anyone recommend how to do so?
It looks like openssl can be used to generate ASN.1 encodings of data through a cumbersome command line interface. It's not really an API that you could use - you'd be having to create one yourself that, underneath, made a lot of system calls like system("openssl asn1parse -genstr 'UTF8:Hello World'"). That sounds like a lot of work.
You're far better off using a proper ASN.1 toolset, take a look at the tools page on the ITU's website.

HMAC implementation in C with SHA384

I need an HMAC implementation with SHA384 in C. It is needed for some API I'm writing.
If anyone can provide at least a starting point I would be happy. Thanks!
Use the openssl library.
An example of using openssl to generate an SHA384 hash is here: http://www.askyb.com/cpp/openssl-sha384-hashing-example-in-cpp/
It claims to be in C++ but it's pretty much straight C.

OpenSSL EVP AES/DES Encryption Implementation

I'm trying to implement some basic AES/DES encryption/decryption in small apps. Mainly to store sensitive user information.
I've seen a lot of examples of implementations in C which is what I want because it's easy to use in Objective-C later, but I can't really make them work. Most of the examples are from 5-10 years ago and have a lot of deprecated and unused stuff and I can't simply make them work. Other just end up in segmentation fault and other errors.
Lately I've been reading a book called "Network Security With OpenSSL". It has a lot of interesting content, but I can't compile most of the examples.
I was already able to encrypt/decrypt stuff using OpenSSL in PHP and on the command line interface too, but no luck with C.
Can someone please give me working examples from today (not from 10 years ago!) how I should work with this in C?
From the same folks:
https://opensource.conformal.com/viewgit/?a=viewblob&p=cyphertite&h=899259f8ba145c11087088ec83153db524031800&hb=6782c6839d847fbed0aed8c55917e78b5684110f&f=cyphertite/ct_crypto.c
Look at the ct_crypto_* functions. They use AES-XTS which is a much better idea then DES (don't use DES!!)
Code compiles and works like a champ. There are examples in the code but they might be a little tangly but everything is there to do it right.
The best example I know of which is both concise and useable out-of-the-box is AgglomeratedSSL, which is an OpenSSL wrapper: https://opensource.conformal.com/wiki/Agglomerated_SSL. Comes with a few example clients and servers using the wrapper API, and the code itself is an example of using OpenSSL for basic tasks.
PS: For a humorous look at the state of OpenSSL documentation, see http://www.peereboom.us/assl/assl/html/openssl.html

What programs use GSS-API? Any decent sample programs?

I thought I wanted to use GSS-API, but now am not so sure, since I'm having a hard time finding good sample code for a trivial client/server pair. Sun has documentation including sample code, but it's written specifically for their GSS API implementation, using a few proprietary functions not in e.g. the GNU GSS-API (and for which it's not immediately clear to me how to re-implement them against the GNU implementation). Plus, it's written in pre-ANSI C, with K&R function declarations and so on (I had no problem converting the declarations, but it did make me think the Sun example code may be so old as to be irrelevant).
Have you used the GSS-API in an application in, say, the last decade? Do you know of some self-contained tutorial with example programs that's worth reading?
Alternatively, maybe I'm on the wrong track and should try SASL instead. The GNU GSS-API author himself suggests as much.
For what it's worth, I'm using GCC on Linux, and have Kerberos set up already for other purposes.
Yes, you should absolutely be using SASL instead of GSSAPI. It is a much better supported protocol, and the libraries are pretty good. At the very least, you can think of it as a sanity-improving wrapper over GSSAPI, since that is one of the typical plugins implemented for SASL. The only reason you should consider using GSSAPI directly is to implement a SASL library. But don't do that. :)
SASL also has wide use. It is specified as part of IMAP and XMPP.
Are you implementing some custom protocol over TCP?
Sun uses the GSSAPI in their Java code. You can find a bit more information about it here:
Equivalent of 'gss_import_name' and 'gss_init_sec_context' methods in java?
Also you may want to look at the code implementation done by the folks at OpenJDK:
http://www.docjar.org/docs/api/sun/security/jgss/GSSContextImpl.html
They have published a full working example of GSSAPI written in Java.
Grant

Signature files for document retrieval

I was wondering if you know somewhere where I can find information on how to build a signature file for docuement retrieval.
Do you know if there is some code out there that I can use or look at?
I have to create a signature file in C++ under linux platform.
UPDATE: Sorry, I appreciatte the help but I was refering to signature files not as a way to validate documents but as a way of indexing documents.
http://en.wikipedia.org/wiki/Signature_files
Any help will be greatly appreciated.
Thanks,
Firstly, lets clarify some terminology.
A Digital Signature is intended to be equivilent to a handwritten signature (see http://en.wikipedia.org/wiki/Digital_signature for a better description and overview).
When a digital signature is applied to a document you get a higher level of assurance of the authenticity of the document (you have a better idea if the document was forged or not).
The answers from Adam and Robert both refer to methods for verifying document integrity (that the document is unchanged). While a digital signature also provides this, a checksum (hash) does not provide authenticity.
So it's important that we establish the needs of your "Signature file". I will assume that you are talking about Digital Signatures, rather than checksums as the other answers address checksums.
You will want to compose a PKCS#7 detached signature (jargon - a standard format signature that does not contain the data, so it can be stored seperately). To acheive this I recommend you use a standard library such as OpenSSL (which is portable).
For more information on PKCS#7 see http://www.rsa.com/rsalabs/node.asp?id=2129
For more information on OpenSSL see http://www.openssl.org/
You might look at Semantic Hacker or Yahoo Term Extraction.
md5sum might be what you are looking for. Source code for generating md5 signatures is available if you Google around.
From Wikipedia:
Because almost any change to a file
will cause its MD5 hash to also
change, the MD5 hash is commonly used
to verify the integrity of files
(i.e., to verify that a file has not
changed as a result of file transfer,
disk error, meddling, etc.). The
md5sum program is installed by default
in most Unix, Linux, and Unix-like
operating systems or compatibility
layers. BSD variants (including Mac OS
X) have a similar utility called md5.
Versions for Microsoft Windows do
exist.
Similarly to Adam's suggestion, if you're working on a very large amount of documents, it might be a good idea to check out SHA1 and sha1sum. Less collisions, and a bit more advanced encryption.

Resources