MAC(1) User Commands MAC(1)


NAME


mac - calculate message authentication codes of the input

SYNOPSIS


/usr/bin/mac -l


/usr/bin/mac [-v] -a algorithm
[-k keyfile | -K key_label [-T token_spec]] [file]...


DESCRIPTION


The mac utility calculates the message authentication code (MAC) of the
given file or files or stdin using the algorithm specified.


If more than one file is given, each line of output is the MAC of a
single file.

OPTIONS


The following options are supported:

-a algorithm
Specifies the name of the algorithm to use during the
encryption or decryption process. See USAGE, Algorithms
for details. Note: Algorithms for producing general
length MACs are not supported.


-k keyfile
Specifies the file containing the key value for the
encryption algorithm. Each algorithm has specific key
material requirements, as stated in the PKCS#11
specification. If -k is not specified, mac prompts for
key material using getpassphrase(3C).

For information on generating a key file, see pktool(1),
dd(8) or the System Administration Guide: Security
Services.


-K key_label
Specify the label of a symmetric token key in a PKCS#11
token.


-l
Displays the list of algorithms available on the system.
This list can change depending on the configuration of
the cryptographic framework. The keysizes are displayed
in bits.


-T token_spec
Specify a PKCS#11 token other than the default soft
token object store when the -K is specified.

token_spec has the format of:

token_name [:manuf_id [:serial_no]]


When a token label contains trailing spaces, this option
does not require them to be typed as a convenience to
the user.

Colon separates token identification string. If any of
the parts have a literal colon (:) character, it must be
escaped by a backslash (\). If a colon (:) is not found,
the entire string (up to 32 characters) is taken as the
token label. If only one colon (:) is found, the string
is the token label and the manufacturer.


-v
Provides verbose information.


USAGE


Algorithms


The supported algorithms are displayed with the -l option. These
algorithms are provided by the cryptographic framework. Each supported
algorithm is an alias to the most commonly used and least restricted
version of a particular algorithm type. For example, md5_hmac is an alias
to CKM_MD5_HMAC.


These aliases are used with the -a option and are case-sensitive.

Passphrase


When the -k option is not used during encryption and decryption tasks,
the user is prompted for a passphrase. The passphrase is manipulated into
a more secure key using the PBKDF2 algorithm specified in PKCS #5.

EXAMPLES


Example 1: Listing Available Algorithms




The following example lists available algorithms:


example$ mac -l
Algorithm Keysize: Min Max
-----------------------------------
des_mac 64 64
sha1_hmac 8 512
md5_hmac 8 512
sha256_hmac 8 512
sha384_hmac 8 1024
sha512_hmac 8 1024


Example 2: Getting the Message Authentication Code




The following example gets the message authentication code for a file:


example$ mac -v -k mykey -a sha1_hmac /export/foo
sha1_hmac (/export/foo) = 913ced311df10f1708d9848641ca8992f4718057


Example 3: Getting the Message Authentication Code with a Token Key




The following example gets the message authentication code with a generic
token key in the soft token keystore. The generic token key can be
generated with pktool(1):


encrypt -v -a sha1_hmac -K my_generic_key \
-T "Sun Software PKCS#11 softtoken" /export/foo
Enter pin for Sun Software PKCS#11 softtoken:
sha1_hmac (/etc/foo) = c2ba5c38458c092a68940081240d22b670182968


EXIT STATUS


The following exit values are returned:

0
Successful completion.


>0
An error occurred.


ATTRIBUTES


See attributes(7) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+

SEE ALSO


digest(1), pktool(1), getpassphrase(3C), libpkcs11(3LIB), attributes(7),
pkcs11_softtoken(7), dd(8)


System Administration Guide: Security Services


RSA PKCS#11 v2.20 and RSA PKCS#5 v2.0, http://www.rsasecurity.com


March 21, 2007 MAC(1)