1XMLSEC1(1) User Commands XMLSEC1(1)
2
3
4
6 xmlsec1 - sign, verify, encrypt and decrypt XML documents
7
9 xmlsec <command> [<options>] [<files>]
10
12 xmlsec is a command line tool for signing, verifying, encrypting and
13 decrypting XML documents. The allowed <command> values are:
14
15 --help display this help information and exit
16
17 --help-all
18 display help information for all commands/options and exit
19
20 --help-<cmd>
21 display help information for command <cmd> and exit
22
23 --version
24 print version information and exit
25
26 --keys keys XML file manipulation
27
28 --sign sign data and output XML document
29
30 --verify
31 verify signed document
32
33 --sign-tmpl
34 create and sign dynamicaly generated signature template
35
36 --encrypt
37 encrypt data and output XML document
38
39 --decrypt
40 decrypt data from XML document
41
43 --ignore-manifests
44
45 do not process <dsig:Manifest> elements
46
47 --store-references
48
49 store and print the result of <dsig:Reference/> element process‐
50 ing just before calculating digest
51
52 --store-signatures
53
54 store and print the result of <dsig:Signature> processing just
55 before calculating signature
56
57 --enabled-reference-uris <list>
58
59 comma separated list of of the following values: "empty",
60 "same-doc", "local","remote" to restrict possible URI attribute
61 values for the <dsig:Reference> element
62
63 --enable-visa3d-hack
64
65 enables Visa3D protocol specific hack for URI attributes pro‐
66 cessing when we are trying not to use XPath/XPointer engine;
67 this is a hack and I don't know what else might be broken in
68 your application when you use it (also check "--id-attr" option
69 because you might need it)
70
71 --binary-data <file>
72
73 binary <file> to encrypt
74
75 --xml-data <file>
76
77 XML <file> to encrypt
78
79 --enabled-cipher-reference-uris <list>
80
81 comma separated list of of the following values: "empty",
82 "same-doc", "local","remote" to restrict possible URI attribute
83 values for the <enc:CipherReference> element
84
85 --session-key <keyKlass>-<keySize>
86
87 generate new session <keyKlass> key of <keySize> bits size (for
88 example, "--session des-192" generates a new 192 bits DES key
89 for DES3 encryption)
90
91 --output <filename>
92
93 write result document to file <filename>
94
95 --print-debug
96
97 print debug information to stdout
98
99 --print-xml-debug
100
101 print debug information to stdout in xml format
102
103 --dtd-file <file>
104
105 load the specified file as the DTD
106
107 --node-id <id>
108
109 set the operation start point to the node with given <id>
110
111 --node-name [<namespace-uri>:]<name>
112
113 set the operation start point to the first node with given
114 <name> and <namespace> URI
115
116 --node-xpath <expr>
117
118 set the operation start point to the first node selected by the
119 specified XPath expression
120
121 --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
122
123 adds attributes <attr-name> (default value "id") from all nodes
124 with<node-name> and namespace <node-namespace-uri> to the list
125 of known ID attributes; this is a hack and if you can use DTD or
126 schema to declare ID attributes instead (see "--dtd-file" op‐
127 tion), I don't know what else might be broken in your applica‐
128 tion when you use this hack
129
130 --enabled-key-data <list>
131
132 comma separated list of enabled key data (list of registered key
133 data klasses is available with "--list-key-data" command); by
134 default, all registered key data are enabled
135
136 --enabled-retrieval-uris <list>
137
138 comma separated list of of the following values: "empty",
139 "same-doc", "local","remote" to restrict possible URI attribute
140 values for the <dsig:RetrievalMethod> element.
141
142 --gen-key[:<name>] <keyKlass>-<keySize>
143
144 generate new <keyKlass> key of <keySize> bits size, set the key
145 name to <name> and add the result to keys manager (for example,
146 "--gen:mykey rsa-1024" generates a new 1024 bits RSA key and
147 sets it's name to "mykey")
148
149 --keys-file <file>
150
151 load keys from XML file
152
153 --privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
154
155 load private key from PEM file and certificates that verify this
156 key
157
158 --privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
159
160 load private key from DER file and certificates that verify this
161 key
162
163 --pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
164
165 load private key from PKCS8 PEM file and PEM certificates that
166 verify this key
167
168 --pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
169
170 load private key from PKCS8 DER file and DER certificates that
171 verify this key
172
173 --pubkey-pem[:<name>] <file>
174
175 load public key from PEM file
176
177 --pubkey-der[:<name>] <file>
178
179 load public key from DER file
180
181 --aeskey[:<name>] <file>
182
183 load AES key from binary file <file>
184
185 --deskey[:<name>] <file>
186
187 load DES key from binary file <file>
188
189 --hmackey[:<name>] <file>
190
191 load HMAC key from binary file <file>
192
193 --pwd <password>
194
195 the password to use for reading keys and certs
196
197 --pkcs12[:<name>] <file>
198
199 load load private key from pkcs12 file <file>
200
201 --pkcs12-persist
202
203 persist loaded private key
204
205 --pubkey-cert-pem[:<name>] <file>
206
207 load public key from PEM cert file
208
209 --pubkey-cert-der[:<name>] <file>
210
211 load public key from DER cert file
212
213 --trusted-pem <file>
214
215 load trusted (root) certificate from PEM file <file>
216
217 --untrusted-pem <file>
218
219 load untrusted certificate from PEM file <file>
220
221 --trusted-der <file>
222
223 load trusted (root) certificate from DER file <file>
224
225 --untrusted-der <file>
226
227 load untrusted certificate from DER file <file>
228
229 --verification-time <time>
230
231 the local time in "YYYY-MM-DD HH:MM:SS" format used certificates
232 verification
233
234 --depth <number>
235
236 maximum certificates chain depth
237
238 --X509-skip-strict-checks
239
240 skip strict checking of X509 data
241
242 --insecure
243
244 do not verify certificates
245
246 --privkey-openssl-engine[:<name>] <openssl-en‐
247 gine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]
248
249 load private key by OpenSSL ENGINE interface; specify the name
250 of engine (like with -engine params), the key specs (like with
251 -inkey or -key params) and optionally certificates that verify
252 this key
253
254 --crypto <name>
255
256 the name of the crypto engine to use from the following list:
257 openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is
258 specified then the default one is used)
259
260 --crypto-config <path>
261
262 path to crypto engine configuration
263
264 --repeat <number>
265
266 repeat the operation <number> times
267
268 --disable-error-msgs
269
270 do not print xmlsec error messages
271
272 --print-crypto-error-msgs
273
274 print errors stack at the end
275
276 --help
277
278 print help information about the command
279
280 --xxe
281
282 enable External Entity resolution. WARNING: this may allow the
283 reading of arbitrary files and URLs, controlled by the input XML
284 document. Use with caution!
285
286 --url-map:<url> <file>
287
288 maps a given <url> to the given <file> for loading external re‐
289 sources
290
292 Written by Aleksey Sanin <aleksey@aleksey.com>.
293
295 Report bugs to http://www.aleksey.com/xmlsec/bugs.html
296
298 Copyright © 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights
299 Reserved..
300 This is free software: see the source for copying information.
301
302
303
304xmlsec1 1.2.33 (openssl) October 2021 XMLSEC1(1)