1XMLSEC1(1)                       User Commands                      XMLSEC1(1)
2
3
4

NAME

6       xmlsec1 - sign, verify, encrypt and decrypt XML documents
7

SYNOPSIS

9       xmlsec <command> [<options>] [<files>]
10

DESCRIPTION

12       xmlsec  is  a  command line tool for signing, verifying, encrypting and
13       decrypting XML documents. The allowed <command> values are:
14
15       --help display this help information and exit
16
17       --help-all
18              display help information for all commands/options and exit
19
20       --help-<cmd>
21              display help information for command <cmd> and exit
22
23       --version
24              print version information and exit
25
26       --keys keys XML file manipulation
27
28       --sign sign data and output XML document
29
30       --verify
31              verify signed document
32
33       --sign-tmpl
34              create and sign dynamicaly generated signature template
35
36       --encrypt
37              encrypt data and output XML document
38
39       --decrypt
40              decrypt data from XML document
41

OPTIONS

43       --ignore-manifests
44
45              do not process <dsig:Manifest> elements
46
47       --store-references
48
49              store and print the result of <dsig:Reference/> element process‐
50              ing just before calculating digest
51
52       --store-signatures
53
54              store  and  print the result of <dsig:Signature> processing just
55              before calculating signature
56
57       --enabled-reference-uris <list>
58
59              comma separated  list  of  of  the  following  values:  "empty",
60              "same-doc",  "local","remote" to restrict possible URI attribute
61              values for the <dsig:Reference> element
62
63       --enable-visa3d-hack
64
65              enables Visa3D protocol specific hack for  URI  attributes  pro‐
66              cessing  when  we  are  trying not to use XPath/XPointer engine;
67              this is a hack and I don't know what else  might  be  broken  in
68              your  application when you use it (also check "--id-attr" option
69              because you might need it)
70
71       --binary-data <file>
72
73              binary <file> to encrypt
74
75       --xml-data <file>
76
77              XML <file> to encrypt
78
79       --enabled-cipher-reference-uris <list>
80
81              comma separated  list  of  of  the  following  values:  "empty",
82              "same-doc",  "local","remote" to restrict possible URI attribute
83              values for the <enc:CipherReference> element
84
85       --session-key <keyKlass>-<keySize>
86
87              generate new session <keyKlass> key of <keySize> bits size  (for
88              example,  "--session  des-192"  generates a new 192 bits DES key
89              for DES3 encryption)
90
91       --output <filename>
92
93              write result document to file <filename>
94
95       --print-debug
96
97              print debug information to stdout
98
99       --print-xml-debug
100
101              print debug information to stdout in xml format
102
103       --dtd-file <file>
104
105              load the specified file as the DTD
106
107       --node-id <id>
108
109              set the operation start point to the node with given <id>
110
111       --node-name [<namespace-uri>:]<name>
112
113              set the operation start point  to  the  first  node  with  given
114              <name> and <namespace> URI
115
116       --node-xpath <expr>
117
118              set  the operation start point to the first node selected by the
119              specified XPath expression
120
121       --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
122
123              adds attributes <attr-name> (default value "id") from all  nodes
124              with<node-name>  and  namespace <node-namespace-uri> to the list
125              of known ID attributes; this is a hack and if you can use DTD or
126              schema  to  declare  ID  attributes  instead  (see  "--dtd-file"
127              option), I don't know what else might be broken in your applica‐
128              tion when you use this hack
129
130       --enabled-key-data <list>
131
132              comma separated list of enabled key data (list of registered key
133              data klasses is available with  "--list-key-data"  command);  by
134              default, all registered key data are enabled
135
136       --enabled-retrieval-uris <list>
137
138              comma  separated  list  of  of  the  following  values: "empty",
139              "same-doc", "local","remote" to restrict possible URI  attribute
140              values for the <dsig:RetrievalMethod> element.
141
142       --gen-key[:<name>] <keyKlass>-<keySize>
143
144              generate  new <keyKlass> key of <keySize> bits size, set the key
145              name to <name> and add the result to keys manager (for  example,
146              "--gen:mykey  rsa-1024"  generates  a  new 1024 bits RSA key and
147              sets it's name to "mykey")
148
149       --keys-file <file>
150
151              load keys from XML file
152
153       --privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
154
155              load private key from PEM file and certificates that verify this
156              key
157
158       --privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
159
160              load private key from DER file and certificates that verify this
161              key
162
163       --pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
164
165              load private key from PKCS8 PEM file and PEM  certificates  that
166              verify this key
167
168       --pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
169
170              load  private  key from PKCS8 DER file and DER certificates that
171              verify this key
172
173       --pubkey-pem[:<name>] <file>
174
175              load public key from PEM file
176
177       --pubkey-der[:<name>] <file>
178
179              load public key from DER file
180
181       --aeskey[:<name>] <file>
182
183              load AES key from binary file <file>
184
185       --deskey[:<name>] <file>
186
187              load DES key from binary file <file>
188
189       --hmackey[:<name>] <file>
190
191              load HMAC key from binary file <file>
192
193       --pwd <password>
194
195              the password to use for reading keys and certs
196
197       --pkcs12[:<name>] <file>
198
199              load load private key from pkcs12 file <file>
200
201       --pubkey-cert-pem[:<name>] <file>
202
203              load public key from PEM cert file
204
205       --pubkey-cert-der[:<name>] <file>
206
207              load public key from DER cert file
208
209       --trusted-pem <file>
210
211              load trusted (root) certificate from PEM file <file>
212
213       --untrusted-pem <file>
214
215              load untrusted certificate from PEM file <file>
216
217       --trusted-der <file>
218
219              load trusted (root) certificate from DER file <file>
220
221       --untrusted-der <file>
222
223              load untrusted certificate from DER file <file>
224
225       --verification-time <time>
226
227              the local time in "YYYY-MM-DD HH:MM:SS" format used certificates
228              verification
229
230       --depth <number>
231
232              maximum certificates chain depth
233
234       --X509-skip-strict-checks
235
236              skip strict checking of X509 data
237
238       --insecure
239
240              do not verify certificates
241
242       --crypto <name>
243
244              the  name  of  the crypto engine to use from the following list:
245              openssl, mscrypto, nss, gnutls, gcrypt (if no crypto  engine  is
246              specified then the default one is used)
247
248       --crypto-config <path>
249
250              path to crypto engine configuration
251
252       --repeat <number>
253
254              repeat the operation <number> times
255
256       --disable-error-msgs
257
258              do not print xmlsec error messages
259
260       --print-crypto-error-msgs
261
262              print errors stack at the end
263
264       --help
265
266              print help information about the command
267
268       --xxe
269
270              enable  External Entity resolution.  WARNING: this may allow the
271              reading of arbitrary files and URLs, controlled by the input XML
272              document.  Use with caution!
273

AUTHOR

275       Written by Aleksey Sanin <aleksey@aleksey.com>.
276

REPORTING BUGS

278       Report bugs to http://www.aleksey.com/xmlsec/bugs.html
279
281       Copyright  ©  2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights
282       Reserved..
283       This is free software: see the source for copying information.
284
285
286
287xmlsec1 1.2.25 (openssl)        September 2017                      XMLSEC1(1)
Impressum