1OPENSSL-DGST(1ossl)                 OpenSSL                OPENSSL-DGST(1ossl)
2
3
4

NAME

6       openssl-dgst - perform digest operations
7

SYNOPSIS

9       openssl dgst|digest [-digest] [-list] [-help] [-c] [-d] [-debug] [-hex]
10       [-binary] [-xoflen length] [-r] [-out filename] [-sign filename|uri]
11       [-keyform DER|PEM|P12|ENGINE] [-passin arg] [-verify filename]
12       [-prverify filename] [-signature filename] [-sigopt nm:v] [-hmac key]
13       [-mac alg] [-macopt nm:v] [-fips-fingerprint] [-engine id]
14       [-engine_impl id] [-rand files] [-writerand file] [-provider name]
15       [-provider-path path] [-propquery propq] [file ...]
16

DESCRIPTION

18       This command output the message digest of a supplied file or files in
19       hexadecimal, and also generates and verifies digital signatures using
20       message digests.
21
22       The generic name, openssl dgst, may be used with an option specifying
23       the algorithm to be used.  The default digest is sha256.  A supported
24       digest name may also be used as the sub-command name.  To see the list
25       of supported algorithms, use "openssl list -digest-algorithms"
26

OPTIONS

28       -help
29           Print out a usage message.
30
31       -digest
32           Specifies name of a supported digest to be used. See option -list
33           below :
34
35       -list
36           Prints out a list of supported message digests.
37
38       -c  Print out the digest in two digit groups separated by colons, only
39           relevant if the -hex option is given as well.
40
41       -d, -debug
42           Print out BIO debugging information.
43
44       -hex
45           Digest is to be output as a hex dump. This is the default case for
46           a "normal" digest as opposed to a digital signature.  See NOTES
47           below for digital signatures using -hex.
48
49       -binary
50           Output the digest or signature in binary form.
51
52       -xoflen length
53           Set the output length for XOF algorithms, such as shake128.
54
55       -r  Output the digest in the "coreutils" format, including newlines.
56           Used by programs like sha1sum(1).
57
58       -out filename
59           Filename to output to, or standard output by default.
60
61       -sign filename|uri
62           Digitally sign the digest using the given private key. Note this
63           option does not support Ed25519 or Ed448 private keys. Use the
64           openssl-pkeyutl(1) command instead for this.
65
66       -keyform DER|PEM|P12|ENGINE
67           The format of the key to sign with; unspecified by default.  See
68           openssl-format-options(1) for details.
69
70       -sigopt nm:v
71           Pass options to the signature algorithm during sign or verify
72           operations.  Names and values of these options are algorithm-
73           specific.
74
75       -passin arg
76           The private key password source. For more information about the
77           format of arg see openssl-passphrase-options(1).
78
79       -verify filename
80           Verify the signature using the public key in "filename".  The
81           output is either "Verified OK" or "Verification Failure".
82
83       -prverify filename
84           Verify the signature using the private key in "filename".
85
86       -signature filename
87           The actual signature to verify.
88
89       -hmac key
90           Create a hashed MAC using "key".
91
92           The openssl-mac(1) command should be preferred to using this
93           command line option.
94
95       -mac alg
96           Create MAC (keyed Message Authentication Code). The most popular
97           MAC algorithm is HMAC (hash-based MAC), but there are other MAC
98           algorithms which are not based on hash, for instance gost-mac
99           algorithm, supported by the gost engine. MAC keys and other options
100           should be set via -macopt parameter.
101
102           The openssl-mac(1) command should be preferred to using this
103           command line option.
104
105       -macopt nm:v
106           Passes options to MAC algorithm, specified by -mac key.  Following
107           options are supported by both by HMAC and gost-mac:
108
109           key:string
110               Specifies MAC key as alphanumeric string (use if key contain
111               printable characters only). String length must conform to any
112               restrictions of the MAC algorithm for example exactly 32 chars
113               for gost-mac.
114
115           hexkey:string
116               Specifies MAC key in hexadecimal form (two hex digits per
117               byte).  Key length must conform to any restrictions of the MAC
118               algorithm for example exactly 32 chars for gost-mac.
119
120           The openssl-mac(1) command should be preferred to using this
121           command line option.
122
123       -fips-fingerprint
124           Compute HMAC using a specific key for certain OpenSSL-FIPS
125           operations.
126
127       -rand files, -writerand file
128           See "Random State Options" in openssl(1) for details.
129
130       -engine id
131           See "Engine Options" in openssl(1).  This option is deprecated.
132
133           The engine is not used for digests unless the -engine_impl option
134           is used or it is configured to do so, see "Engine Configuration
135           Module" in config(5).
136
137       -engine_impl id
138           When used with the -engine option, it specifies to also use engine
139           id for digest operations.
140
141       -provider name
142       -provider-path path
143       -propquery propq
144           See "Provider Options" in openssl(1), provider(7), and property(7).
145
146       file ...
147           File or files to digest. If no files are specified then standard
148           input is used.
149

EXAMPLES

151       To create a hex-encoded message digest of a file:
152
153        openssl dgst -md5 -hex file.txt
154        or
155        openssl md5 file.txt
156
157       To sign a file using SHA-256 with binary file output:
158
159        openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
160        or
161        openssl sha256 -sign privatekey.pem -out signature.sign file.txt
162
163       To verify a signature:
164
165        openssl dgst -sha256 -verify publickey.pem \
166        -signature signature.sign \
167        file.txt
168

NOTES

170       The digest mechanisms that are available will depend on the options
171       used when building OpenSSL.  The "openssl list -digest-algorithms"
172       command can be used to list them.
173
174       New or agile applications should use probably use SHA-256. Other
175       digests, particularly SHA-1 and MD5, are still widely used for
176       interoperating with existing formats and protocols.
177
178       When signing a file, this command will automatically determine the
179       algorithm (RSA, ECC, etc) to use for signing based on the private key's
180       ASN.1 info.  When verifying signatures, it only handles the RSA, DSA,
181       or ECDSA signature itself, not the related data to identify the signer
182       and algorithm used in formats such as x.509, CMS, and S/MIME.
183
184       A source of random numbers is required for certain signing algorithms,
185       in particular ECDSA and DSA.
186
187       The signing and verify options should only be used if a single file is
188       being signed or verified.
189
190       Hex signatures cannot be verified using openssl.  Instead, use "xxd -r"
191       or similar program to transform the hex signature into a binary
192       signature prior to verification.
193
194       The openssl-mac(1) command is preferred over the -hmac, -mac and
195       -macopt command line options.
196

SEE ALSO

198       openssl-mac(1)
199

HISTORY

201       The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
202       The FIPS-related options were removed in OpenSSL 1.1.0.
203
204       The -engine and -engine_impl options were deprecated in OpenSSL 3.0.
205
207       Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
208
209       Licensed under the Apache License 2.0 (the "License").  You may not use
210       this file except in compliance with the License.  You can obtain a copy
211       in the file LICENSE in the source distribution or at
212       <https://www.openssl.org/source/license.html>.
213
214
215
2163.0.5                             2022-07-05               OPENSSL-DGST(1ossl)
Impressum