Fall back to python if OpenSSL does not support '-macopt'

This allows the script to work with the tools shipped with OS X.
2025-05-05 23:17:41 +00:00 · 2017-01-06 15:30:06 +13:00 · 2017-01-06 15:30:06 +13:00 · 82c4060d62
commit 82c4060d62
parent 058e5d5f4b
1 changed files with 12 additions and 3 deletions
--- a/acme.sh
+++ b/acme.sh
@ -461,11 +461,20 @@ _hmac() {
  fi

  if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ]; then
+    # OpenSSL only support -macopt from version 1.0. OS X ships version 0.9
+    if echo -n "" | $OPENSSL_BIN dgst -sha1 -mac HMAC -macopt hexkey:00 >/dev/null 2>&1; then
      if [ "$outputhex" ]; then
        $OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" | cut -d = -f 2 | tr -d ' '
      else
        $OPENSSL_BIN dgst -"$alg" -mac HMAC -macopt "hexkey:$secret_hex" -binary
      fi
+    else
+      # Try to fall back to python's built-in hmac/hashlib modules
+       [ -n "$outputhex" ] && outputhex=hex
+      python -u -c \
+          'import sys,binascii,hmac,hashlib;sys.stdout.write(getattr(hmac.new(binascii.unhexlify(sys.argv[3]),sys.stdin.read(),getattr(hashlib,sys.argv[1])),sys.argv[2])())' \
+          "$alg" "${outputhex}digest" "$secret_hex"
+    fi
  else
    _err "$alg is not supported yet"
    return 1