xmlsec1(1) User Commands xmlsec1(1)
NAME
xmlsec1 - sign, verify, encrypt and decrypt XML documents
SYNOPSIS
xmlsec <command> [<options>] [<files>]
DESCRIPTION
xmlsec is a command line tool for signing, verifying, encrypting and
decrypting XML documents. The allowed <command> values are:
--help display this help information and exit
--help-all
display help information for all commands/options and exit
--help-<cmd>
display help information for command <cmd> and exit
--version
print version information and exit
--keys keys XML file manipulation
--sign sign data and output XML document
--verify
verify signed document
--sign-tmpl
create and sign dynamicaly generated signature template
--encrypt
encrypt data and output XML document
--decrypt
decrypt data from XML document
OPTIONS
--ignore-manifests
do not process <dsig:Manifest> elements
--store-references
store and print the result of <dsig:Reference/> element
processing just before calculating digest
--store-signatures
store and print the result of <dsig:Signature> processing just
before calculating signature
--enabled-reference-uris <list>
comma separated list of of the following values: "empty",
"same-doc", "local","remote" to restrict possible URI attribute
values for the <dsig:Reference> element
--enable-visa3d-hack
enables Visa3D protocol specific hack for URI attributes
processing when we are trying not to use XPath/XPointer engine;
this is a hack and I don't know what else might be broken in
your application when you use it (also check "--id-attr" option
because you might need it)
--hmac-min-out-len <bits>
sets minimum HMAC output length to <bits>
--binary-data <file>
binary <file> to encrypt
--xml-data <file>
XML <file> to encrypt
--enabled-cipher-reference-uris <list>
comma separated list of of the following values: "empty",
"same-doc", "local","remote" to restrict possible URI attribute
values for the <enc:CipherReference> element
--session-key <keyKlass>-<keySize>
generate new session <keyKlass> key of <keySize> bits size (for
example, "--session des-192" generates a new 192 bits DES key
for DES3 encryption)
--output <filename>
write result document to file <filename>; the <filename> can be
a template and include '{inputfile}' which will be repaced with
the input filename
--print-debug
print debug information to stdout
--print-xml-debug
print debug information to stdout in xml format
--dtd-file <file>
load the specified file as the DTD
--node-id <id>
set the operation start point to the node with given <id>
--node-name [<namespace-uri>:]<name>
set the operation start point to the first node with given
<name> and <namespace> URI
--node-xpath <expr>
set the operation start point to the first node selected by the
specified XPath expression
--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
adds attributes <attr-name> (default value "id") from all nodes
with<node-name> and namespace <node-namespace-uri> to the list
of known ID attributes; this is a hack and if you can use DTD or
schema to declare ID attributes instead (see "--dtd-file"
option), I don't know what else might be broken in your
application when you use this hack
--enabled-key-data <list>
comma separated list of enabled key data (list of registered key
data klasses is available with "--list-key-data" command); by
default, all registered key data are enabled
--enabled-retrieval-method-uris <list>
comma separated list of of the following values: "empty",
"same-doc", "local","remote" to restrict possible URI attribute
values for the <dsig:RetrievalMethod> element.
--enabled-key-info-reference-uris <list>
comma separated list of of the following values: "empty",
"same-doc", "local","remote" to restrict possible URI attribute
values for the <dsig11:KeyInfoReference> element.
--gen-key[:<name>] <keyKlass>-<keySize>
generate new <keyKlass> key of <keySize> bits size, set the key
name to <name> and add the result to keys manager (for example,
"--gen:mykey rsa-1024" generates a new 1024 bits RSA key and
sets it's name to "mykey")
--keys-file <file>
load keys from XML file
--privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
load private key from PEM file and certificates that verify this
key
--privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
load private key from DER file and certificates that verify this
key
--pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
load private key from PKCS8 PEM file and PEM certificates that
verify this key
--pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
load private key from PKCS8 DER file and DER certificates that
verify this key
--privkey-openssl-store[:<name>] <uri>
load private key and certs through OpenSSL ossl_store interface
(e.g. from HSM)
--privkey-openssl-engine[:<name>]
<openssl-engine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]
load private key by OpenSSL ENGINE interface; specify the name
of engine (like with -engine params), the key specs (like with
-inkey or -key params) and optionally certificates that verify
this key
--pubkey-pem[:<name>] <file>
load public key from PEM file
--pubkey-der[:<name>] <file>
load public key from DER file
--pubkey-openssl-store[:<name>] <uri>
load pubkey key and certs through OpenSSL ossl_store interface
(e.g. from HSM)
--pubkey-openssl-engine[:<name>]
<openssl-engine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]
load public key by OpenSSL ENGINE interface; specify the name of
engine (like with -engine params), the key specs (like with
-inkey or -key params) and optionally certificates that verify
this key
--pwd <password>
the password to use for reading keys and certs
--lax-key-search
enable lax key search (e.g. by key type like "rsa") vs default
strict key search mode using only information from
<dsig:KeyInfo/> node (e.g. key name)
--verify-keys
force verification of public/private keys loaded from the
command: keys are required to have a key certificate that will
be verified against the certificates in the key store
--aes-key[:<name>] <file>
load AES key from binary file <file>
--concatkdf-key[:<name>] <file>
load ConcatKDF key from binary file <file>
--des-key[:<name>] <file>
load DES key from binary file <file>
--hmac-key[:<name>] <file>
load HMAC key from binary file <file>
--pbkdf2-key[:<name>] <file>
load Pbkdf2 key from binary file <file>
--pkcs12[:<name>] <file>
load load private key from pkcs12 file <file>
--pkcs12-persist
persist loaded private key
--pubkey-cert-pem[:<name>] <file>
load public key from PEM cert file
--pubkey-cert-der[:<name>] <file>
load public key from DER cert file
--trusted-pem <file>
load trusted (root) certificate from PEM file <file>
--untrusted-pem <file>
load untrusted certificate from PEM file <file>
--trusted-der <file>
load trusted (root) certificate from DER file <file>
--untrusted-der <file>
load untrusted certificate from DER file <file>
--crl-pem <file>
load CRLs from PEM file <file>
--crl-der <file>
load CRLs from DER file <file>
--verification-time <time>
the local time in "YYYY-MM-DD HH:MM:SS" format used certificates
verification
--verification-gmt-time <time>
the GMT time in "YYYY-MM-DD HH:MM:SS" format used certificates
verification
--depth <number>
maximum certificates chain depth
--X509-skip-strict-checks
skip strict checking of X509 data
--insecure
do not verify certificates
--crypto <name>
the name of the crypto engine to use from the following list:
openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is
specified then the default one is used)
--crypto-config <path>
path to crypto engine configuration
--verbose
print detailed error messages
--repeat <number>
repeat the operation <number> times
--base64-line-size <size>
sets the max line size for base64 encodings to <size>
--transform-binary-chunk-size <size>
sets the transforms binary processing chunk size to <size>;
increasing chunk size might improve performance at the expense
of increased memory usage
--xxe
enable External Entity resolution. WARNING: this may allow the
reading of arbitrary files and URLs, controlled by the input XML
document. Use with caution!
--url-map:<url> <file>
maps a given <url> to the given <file> for loading external
resources
--help
print help information about the command
AUTHOR
Written by Aleksey Sanin <aleksey@aleksey.com>.
REPORTING BUGS
Report bugs to http://www.aleksey.com/xmlsec/bugs.html
COPYRIGHT
Copyright (C) 2002-2022 Aleksey Sanin <aleksey@aleksey.com>. All Rights
Reserved..
This is free software: see the source for copying information.
xmlsec1 1.3.3 (openssl) December 2023 xmlsec1(1)
xmlsec 1.3.3 - Generated Fri Jan 5 14:50:04 CST 2024