Class: OpenSSL::HMAC

Inherits:
Object
  • Object
show all
Defined in:
ext/openssl/ossl_hmac.c,
lib/openssl/hmac.rb,
ext/openssl/ossl_hmac.c

Overview

OpenSSL::HMAC allows computing Hash-based Message Authentication Code (HMAC). It is a type of message authentication code (MAC) involving a hash function in combination with a key. HMAC can be used to verify the integrity of a message as well as the authenticity.

OpenSSL::HMAC has a similar interface to OpenSSL::Digest.

HMAC-SHA256 using one-shot interface

key = "key"
data = "message-to-be-authenticated"
mac = OpenSSL::HMAC.hexdigest("SHA256", key, data)
#=> "cddb0db23f469c8bf072b21fd837149bd6ace9ab771cceef14c9e517cc93282e"

HMAC-SHA256 using incremental interface

data1 = File.binread("file1")
data2 = File.binread("file2")
key = "key"
hmac = OpenSSL::HMAC.new(key, 'SHA256')
hmac << data1
hmac << data2
mac = hmac.digest

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#new(key, digest) ⇒ Object

Returns an instance of OpenSSL::HMAC set with the key and digest algorithm to be used. The instance represents the initial state of the message authentication code before any data has been processed. To process data with it, use the instance method #update with your data as an argument.

Example

key = ‘key’ instance = OpenSSL::HMAC.new(key, ‘SHA1’) #=> f42bb0eeb018ebbd4597ae7213711ec60760843f instance.class #=> OpenSSL::HMAC

A note about comparisons

Two instances can be securely compared with #== in constant time:

other_instance = OpenSSL::HMAC.new(‘key’, ‘SHA1’) #=> f42bb0eeb018ebbd4597ae7213711ec60760843f instance == other_instance #=> true



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# File 'ext/openssl/ossl_hmac.c', line 92

static VALUE
ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
{
    EVP_MD_CTX *ctx;
    EVP_PKEY *pkey;

    GetHMAC(self, ctx);
    StringValue(key);
    pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
                                (unsigned char *)RSTRING_PTR(key),
                                RSTRING_LENINT(key));
    if (!pkey)
        ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
    if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
                           NULL, pkey) != 1) {
        EVP_PKEY_free(pkey);
        ossl_raise(eHMACError, "EVP_DigestSignInit");
    }
    /* Decrement reference counter; EVP_MD_CTX still keeps it */
    EVP_PKEY_free(pkey);

    return self;
}

Class Method Details

.base64digest(digest, key, data) ⇒ Object

:call-seq:

HMAC.base64digest(digest, key, data) -> aString

Returns the authentication code as a Base64-encoded string. The digest parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of OpenSSL::Digest.

Example

key = 'key'
data = 'The quick brown fox jumps over the lazy dog'

hmac = OpenSSL::HMAC.base64digest('SHA1', key, data)
#=> "3nybhbi3iqa8ino29wqQcBydtNk="


73
74
75
# File 'lib/openssl/hmac.rb', line 73

def base64digest(digest, key, data)
  [digest(digest, key, data)].pack("m0")
end

.digest(digest, key, data) ⇒ Object

:call-seq:

HMAC.digest(digest, key, data) -> aString

Returns the authentication code as a binary string. The digest parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of OpenSSL::Digest.

Example

key = 'key'
data = 'The quick brown fox jumps over the lazy dog'

hmac = OpenSSL::HMAC.digest('SHA1', key, data)
#=> "\xDE|\x9B\x85\xB8\xB7\x8A\xA6\xBC\x8Az6\xF7\n\x90p\x1C\x9D\xB4\xD9"


35
36
37
38
39
# File 'lib/openssl/hmac.rb', line 35

def digest(digest, key, data)
  hmac = new(key, digest)
  hmac << data
  hmac.digest
end

.hexdigest(digest, key, data) ⇒ Object

:call-seq:

HMAC.hexdigest(digest, key, data) -> aString

Returns the authentication code as a hex-encoded string. The digest parameter specifies the digest algorithm to use. This may be a String representing the algorithm name or an instance of OpenSSL::Digest.

Example

key = 'key'
data = 'The quick brown fox jumps over the lazy dog'

hmac = OpenSSL::HMAC.hexdigest('SHA1', key, data)
#=> "de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9"


54
55
56
57
58
# File 'lib/openssl/hmac.rb', line 54

def hexdigest(digest, key, data)
  hmac = new(key, digest)
  hmac << data
  hmac.hexdigest
end

Instance Method Details

#==(other) ⇒ Object

Securely compare with another HMAC instance in constant time.



6
7
8
9
10
11
# File 'lib/openssl/hmac.rb', line 6

def ==(other)
  return false unless HMAC === other
  return false unless self.digest.bytesize == other.digest.bytesize

  OpenSSL.fixed_length_secure_compare(self.digest, other.digest)
end

#base64digestObject

:call-seq:

hmac.base64digest -> string

Returns the authentication code an a Base64-encoded string.



17
18
19
# File 'lib/openssl/hmac.rb', line 17

def base64digest
  [digest].pack("m0")
end

#digestString

Returns the authentication code an instance represents as a binary string.

Example

instance = OpenSSL::HMAC.new(‘key’, ‘SHA1’) #=> f42bb0eeb018ebbd4597ae7213711ec60760843f instance.digest #=> “xF4+xB0xEExB0x18xEBxBDEx97xAErx13qx1ExC6a‘x84?”

Returns:

  • (String)


174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'ext/openssl/ossl_hmac.c', line 174

static VALUE
ossl_hmac_digest(VALUE self)
{
    EVP_MD_CTX *ctx;
    size_t buf_len = EVP_MAX_MD_SIZE;
    VALUE ret;

    GetHMAC(self, ctx);
    ret = rb_str_new(NULL, EVP_MAX_MD_SIZE);
    if (EVP_DigestSignFinal(ctx, (unsigned char *)RSTRING_PTR(ret),
                            &buf_len) != 1)
        ossl_raise(eHMACError, "EVP_DigestSignFinal");
    rb_str_set_len(ret, (long)buf_len);

    return ret;
}

#hexdigestString Also known as: inspect, to_s

Returns the authentication code an instance represents as a hex-encoded string.

Returns:

  • (String)


198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
# File 'ext/openssl/ossl_hmac.c', line 198

static VALUE
ossl_hmac_hexdigest(VALUE self)
{
    EVP_MD_CTX *ctx;
    unsigned char buf[EVP_MAX_MD_SIZE];
    size_t buf_len = EVP_MAX_MD_SIZE;
    VALUE ret;

    GetHMAC(self, ctx);
    if (EVP_DigestSignFinal(ctx, buf, &buf_len) != 1)
        ossl_raise(eHMACError, "EVP_DigestSignFinal");
    ret = rb_str_new(NULL, buf_len * 2);
    ossl_bin2hex(buf, RSTRING_PTR(ret), buf_len);

    return ret;
}

#initialize_copy(other) ⇒ Object



116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'ext/openssl/ossl_hmac.c', line 116

static VALUE
ossl_hmac_copy(VALUE self, VALUE other)
{
    EVP_MD_CTX *ctx1, *ctx2;

    rb_check_frozen(self);
    if (self == other) return self;

    GetHMAC(self, ctx1);
    GetHMAC(other, ctx2);
    if (EVP_MD_CTX_copy(ctx1, ctx2) != 1)
        ossl_raise(eHMACError, "EVP_MD_CTX_copy");
    return self;
}

#resetself

Returns hmac as it was when it was first initialized, with all processed data cleared from it.

Example

data = “The quick brown fox jumps over the lazy dog” instance = OpenSSL::HMAC.new(‘key’, ‘SHA1’) #=> f42bb0eeb018ebbd4597ae7213711ec60760843f

instance.update(data) #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9 instance.reset #=> f42bb0eeb018ebbd4597ae7213711ec60760843f

Returns:

  • (self)


234
235
236
237
238
239
240
241
242
243
244
245
246
# File 'ext/openssl/ossl_hmac.c', line 234

static VALUE
ossl_hmac_reset(VALUE self)
{
    EVP_MD_CTX *ctx;
    EVP_PKEY *pkey;

    GetHMAC(self, ctx);
    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_get_pkey_ctx(ctx));
    if (EVP_DigestSignInit(ctx, NULL, EVP_MD_CTX_get0_md(ctx), NULL, pkey) != 1)
        ossl_raise(eHMACError, "EVP_DigestSignInit");

    return self;
}

#update(string) ⇒ self Also known as: <<

Returns hmac updated with the message to be authenticated. Can be called repeatedly with chunks of the message.

Example

first_chunk = ‘The quick brown fox jumps ’ second_chunk = ‘over the lazy dog’

instance.update(first_chunk) #=> 5b9a8038a65d571076d97fe783989e52278a492a instance.update(second_chunk) #=> de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

Returns:

  • (self)


149
150
151
152
153
154
155
156
157
158
159
160
# File 'ext/openssl/ossl_hmac.c', line 149

static VALUE
ossl_hmac_update(VALUE self, VALUE data)
{
    EVP_MD_CTX *ctx;

    StringValue(data);
    GetHMAC(self, ctx);
    if (EVP_DigestSignUpdate(ctx, RSTRING_PTR(data), RSTRING_LEN(data)) != 1)
        ossl_raise(eHMACError, "EVP_DigestSignUpdate");

    return self;
}