Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

How to Compute a MAC of a File

A message authentication code, or MAC, computes a digest for the file and uses a secret key to further protect the digest. A MAC does not alter the original file.

  1. List the available mechanisms.
    $ mac -l
    Algorithm       Keysize:  Min   Max
    -----------------------------------
    sha1_hmac                   8   512
    md5_hmac                    8   512
    sha224_hmac                 8   512
    sha256_hmac                 8   512
    sha384_hmac                 8  1024
    sha512_hmac                 8  1024
    sha512_t_hmac               8  1024

    Note - Each supported algorithm is an alias to the most commonly used and least restricted version of a particular algorithm type. The preceding output shows available algorithm names and the keysize for each algorithm. Whenever possible, use a supported algorithm that matches a FIPS 140-2 approved algorithm with a FIPS 140-2 approved key length, listed at FIPS 140-2 Algorithms in the Cryptographic Framework in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.
  2. Generate a symmetric key of the appropriate length.

    You can provide either a passphrase from which a key will be generated or you can provide a key.

    • If you provide a passphrase, you must store or remember the passphrase. If you store the passphrase online, the passphrase file should be readable only by you.

    • If you provide a key, it must be the correct size for the mechanism. You can use the pktool command. For the procedure and some examples, see How to Generate a Symmetric Key by Using the pktool Command.

  3. Create a MAC for a file.

    Provide a key and use a symmetric key algorithm with the mac command.

    $ mac [-v] -a algorithm [-k keyfile | -K key-label [-T token]] input-file
    –v

    Displays the output in the following format:

    algorithm (input-file) = mac
    –a algorithm

    The algorithm to use to compute the MAC. Type the algorithm as the algorithm appears in the output of the mac -l command.

    –k keyfile

    The file that contains a key of algorithm-specified length.

    –K key-label

    The label of a key in the PKCS #11 keystore.

    –T token

    The token name. By default, it is Sun Software PKCS#11 softtoken. It is used only when the –K key-label option is used.

    input-file

    The input file for the MAC.

Example 7  Computing a MAC With SHA256_HMAC and a Passphrase

In the following example, the email attachment is authenticated with the SHA256_HMAC mechanism and a key that is derived from a passphrase. The MAC listing is saved to a file. If the passphrase is stored in a file, the file should not be readable by anyone but the user.

$ mac -v -a sha256_hmac email.attach
Enter passphrase: Type passphrase
sha256_hmac (email.attach) = 9c1ee...d6eb74e5d693b7605c96a23df238e52
$ echo "sha256_hmac (email.attach) = 9c1ee...d6eb74e5d693b7605c96a23df238e52" \
>> ~/sha256hmac.daily.05.13
Example 8  Computing a MAC With SHA256_HMAC and a Key File

In the following example, the directory manifest is authenticated with the SHA256_HMAC mechanism and a secret key. The results are placed in a file.

$ mac -v -a sha256_hmac \
-k $HOME/keyf/05.07.mack64 docs/* > $HOME/mac.docs.legal.05.07
$ more ~/mac.docs.legal.05.07
sha256_hmac (docs/legal1) = e1eb...814a595fb6f0aa8c77f6ef35a7f24ae07d1b9a55
sha256_hmac (docs/legal2) = 0460...88a34b895687ecfd97d1647b90fe3618f5114ff9
sha256_hmac (docs/legal3) = 9c1e...eee8a9913d6eb74e5d693b7605c96a23df238e52
sha256_hmac (docs/legal4) = 389f...cb340d33cca5e4aaa18534c06426d32594bdedf6
Example 9  Computing a MAC With SHA256_HMAC and a Key Label

In the following example, the directory manifest is authenticated with the SHA256_HMAC mechanism and a secret key. The results are placed in the user's PKCS #11 keystore. The user initially created the keystore and the password to the keystore by using the pktool setpin command.

$ mac -a sha256_hmac -K legaldocs0507 docs/*
Enter pin for Sun Software PKCS#11 softtoken:Type password

To retrieve the MAC from the keystore, the user uses the verbose option, and provides the key label and the name of the directory that was authenticated.

$ mac -v -a sha256_hmac -K legaldocs0507  docs/*
Enter pin for Sun Software PKCS#11 softtoken:Type password
sha256_hmac (docs/legal1) = e1eb...814a595fb6f0aa8c77f6ef35a7f24ae07d1b9a55
sha256_hmac (docs/legal2) = 0460...88a34b895687ecfd97d1647b90fe3618f5114ff9
sha256_hmac (docs/legal3) = 9c1e...eee8a9913d6eb74e5d693b7605c96a23df238e52
sha256_hmac (docs/legal4) = 389f...cb340d33cca5e4aaa18534c06426d32594bdedf6