SHA-256 Hash Alogrithm

[ssrin...@gmail.com]

Hi,

I am having a ".TXT" file and I have generated SHA hash of ".TXT" file using Windows Command prompt like below

C:\temp>certutil -hashfile test.txt sha256
SHA256 hash of test.txt:
7d967bad44f719f3733bbec0f1228f0247794096a434d57e6875f3367ead5f33
CertUtil: -hashfile command completed successfully.
=============================================================
Now, If I upload the same ".TXT" file to Tandem . How to generate a SHA256 key so that I can compare the key generated from Tandem to the key which I already generated using Windows Command prompt (Certutil)
I am planning to use COBOL programming. Is there any routine which we can call from cobol ?
any help would be appreciated.

[Bill Honaker]

Hi

The certutil program, both for Windows and for NonStop, is part of OpenSSL. I don't believe that it is installed by default on Windows, and I know it's not on NonStop.

You should discuss with your NonStop systems managers whether OpenSSL is already installed on your NonStop.
If so, you should be able to enter the same command at an OSH or BASH prompt.

OpenSSL also includes a DLL version of both the SSL portion and the cryptography libraries. You should research what API to call to generate a hash.
Alternatively, COBOL should be able to invoke the certutil program. There are many ways to accomplish this.

If your COBOL program is COBOL85 (that is, a code 100 program file) you can't call OSS utilities. If it's native (ecobol or xcobol), and it runs in OSS, it's quite easy.
If it runs as a Guardian program it's not quite as easy, but for a simple function such as hash generation it's possible. You miay have to read the contents
of the test.txt file (or equivalent) into memory and pass it to the API.

Bill

[Bill Honaker]

One good place to start, as this article includes a sample COBOL program:

https://stackoverflow.com/questions/15462544/use-sha1-with-cobol/15498799

They had other alternatives, like Python. Java also has a SHA256 hash implementation. You could also write programs in C, Java, Python as a Pathway server.
Then it's a relatively simple SERVERCLASS_SEND_()' call. It has the advantage of being usable within multpile programs.

[Randall]

Java has SHA256 message digests built in. It's very simple to use.

[Andre White]

I was created SHA3-512 using Java and run under pathway server:

.properties
-----------------

# Type for algorithm
# sha3-224
# sha3-256
# sha3-384
# sha3-512
sha3.algorithm=sha3-512
sha3.uppercase=N
sha3.cutover=2200
sha3.trace=off
---------------------------------------------------------------------------------------


protected String calculateSHA3( String filename, EnscribeFile ef ) {

I_Data iData = new I_Data();
Sha3 sha3 = null;
EnscribeOpenOptions opt = new EnscribeOpenOptions();
String result = null;
StringBuilder sb = new StringBuilder();
String lf = "";
String cr = "";

if (MyProperties.isTrace()) {
logger.info(String.format("Trace on: Filename: %s", filename));
}

switch (MyProperties.getAlgorithm().toUpperCase()) {
case "SHA3-224":
sha3 = new Sha3(Type.SHA3_224);
break;
case "SHA3-256":
sha3 = new Sha3(Type.SHA3_256);
break;
case "SHA3-384":
sha3 = new Sha3(Type.SHA3_384);
break;
case "SHA3-512":
sha3 = new Sha3(Type.SHA3_512);
break;
default:
sha3 = new Sha3(Type.SHA3_512);
break;
}

opt.setAccess(EnscribeOpenOptions.READ_ONLY);
opt.setExclusion(EnscribeOpenOptions.SHARED);

try {
ef.open( opt );

if ( ef.getFileInfo().getFileType() != 0) {
if (MyProperties.isCrChar())
{
cr = "\r";
}

iData.set_bufferLen(ef.getFileInfo().getRecordLength());
lf = "\n";
}
else
{
/*
* For unstructured data, we need to use buffer as 1024 bytes to read the data
*/
opt.setUnstructuredAccess(true);
opt.setSequentialBlockBufferLength(1024);
}

int countread = 0;
do {
try {
countread = ef.read(iData);
if ( countread != -1 ) {
sb.append(iData.getSdata());
sb.append(cr).append(lf);
}
} catch (DataConversionException e) {
// TODO Auto-generated catch block
logger.log(Level.SEVERE, "Filename: " +
ef.getFileName() + ". " +
e.getLocalizedMessage(), e);
}

} while (countread != -1);

/*
* Compute SHA3
*/

result = HexTools.convertToHex(sha3.encode(
sb.toString().getBytes(StandardCharsets.UTF_8)));

if (MyProperties.isUppercase())
{
result = result.toUpperCase();
}
else
{
result = result.toLowerCase();
}
} catch (EnscribeFileException e) {
// TODO Auto-generated catch block
logger.log(Level.SEVERE, "Filename: " +
ef.getFileName() + ". " +
e.getLocalizedMessage(), e);
} finally {
ef.close();
sb.setLength(0);
}

return result;

}

[Randall]

This will work fine. However, you are taking into account things you might not know about. If you are using entry sequenced files, you are probably good. If you are using a different structured file, like relative or key-sequenced, your SHA512 calculation will include primary key nodes (and slack) and data in slack space that has not been zeroed. So you may end up with two files that have the same logical content (visible from FILE_READ64_) but different signatures computed using the above. Please be aware of that. I have direct experience with this situation in NSGit.

[Andre White]

Hi Randall,

Thanks for your information.
I agreed with you. Because of that, we need to know what kind of situation we need to use Entry sequenced or unstructured file.
If we are using relative or key-sequenced to generate the SHA3 values, and we will ask third party to verify the SHA3. My SHA3 calculation will not match with them.
Because we don't know in their system using Nonstop or Unix or Windows.

[dave_th...@comcast.net]

On Fri, 12 Feb 2021 14:53:43 -0600, Bill Honaker
<no_spam_bhonaker__@x_i_d.com> wrote:

> On Fri, 12 Feb 2021 12:21:55 -0800 (PST), "ssrin...@gmail.com"
<ssrin...@gmail.com> wrote:
>
> >Hi,
> >
> >I am having a ".TXT" file and I have generated SHA hash of
".TXT" file using Windows Command prompt like below
> >
> >C:\temp>certutil -hashfile test.txt sha256

> The certutil program, both for Windows and for NonStop, is part of OpenSSL.
I don't believe that it is installed by default on Windows, and I know
it's not on NonStop.
>

No, certutil is not part of OpenSSL, anywhere. The one and only
commandline program in OpenSSL is simply openssl (.exe on Windows).
It includes numerous operations including secure hashes.

The syntax shown is for the certutil.exe that is part of Windows since
at least XP (maybe NT), and is available only on Windows (or WINE).

There is another certutil that is part of NSS, the Netscape/Mozilla
(free) SSL/TLS and crypto package. This is used on many Unices,
instead of or in addition to OpenSSL, but I don't know about OSS.

In addition many Unices have tradtionally had separate programs that
only do a hash named md5sum sha1sum sha256sum etc.
p

[ssrin...@gmail.com]

Thanks for all your help

[Bill Honaker]

Dave, you're correct. That's what I get for relying on my memory rather than issuing the command.

The command should be:

openssl sha -sha2566 -out shafile.txt textfile.txt

Bill

[Randall]

Wondering whether anyone has been able to build a hardware SHA-256 using the macros in builtins.h. I'm trying to speed up git so that the signature calculation will be faster on L-series.
Randall

[Aravind Aravind]

Could anybody help on this ? i want to generate hash from file using SHA3-256 algorithm in vb.net, pls anybody help to get sample code or any idea on this.

[Randall]

Googling this, you could potentially use https://github.com/brainhub/SHA3IUF or some other Open Source library, but that assumes your organization can take and use code from GitHub. Or develop your own SHA3 code - it is not that hard to do and well documented.

[chris...@fullgera.se]

I'm a bit interested in this topic due to the fact that we have a MD5 implementation which we need to replace. Haven't gotten to actually do it yet but when I did some research I found a very well structured library called Nettle which has the following punch line "Nettle is a low-level cryptographic library that is designed to fit easily in more or less any context.".
You'll find it here: https://git.lysator.liu.se/nettle/nettle

Please report back if you're successful and tell us how you solved it!

[Randall]

We implemented MD5, SHA1, SHA256 using the directions from NIST without other external assistance. The techniques are well described. It is not difficult to do if you know C. I cannot share our implementations as they are cryptographic and subject to export controls. Sharing cryptographic code is done at your own risk.
-Randall

[j-ma...@pacbell.net]

There is another aspect to the question of calculating a hash on a text file. The definition of a text file is specific to the operating system it resides on. When you transfer a text file, the End of Line indicator may be translated, tabs may be translated to spaces, trailing spaces may be truncated, etc. If you transfer it as a text file instead of a binary file, they likely won’t be a bit for bit match.

Jon Marcus

[Randall]

On Thursday, October 27, 2022 at 4:41:00 p.m. UTC-4, j-ma...@pacbell.net wrote:
> There is another aspect to the question of calculating a hash on a text file. The definition of a text file is specific to the operating system it resides on. When you transfer a text file, the End of Line indicator may be translated, tabs may be translated to spaces, trailing spaces may be truncated, etc. If you transfer it as a text file instead of a binary file, they likely won’t be a bit for bit match.
>
> Jon Marcus

Hi Jon,

If you use NSGit (T1198), the hash calculation is independent of whether you are in Guardian or OSS or Windows. We made provision for supplying an independent form of the file to the git hash-object function. That might solve the OP issue.

Regards,
Randall