1OPENSSL-DGST(1ossl) OpenSSL OPENSSL-DGST(1ossl)
2
3
4
6 openssl-dgst - perform digest operations
7
9 openssl dgst|digest [-digest] [-list] [-help] [-c] [-d] [-debug] [-hex]
10 [-binary] [-xoflen length] [-r] [-out filename] [-sign filename|uri]
11 [-keyform DER|PEM|P12|ENGINE] [-passin arg] [-verify filename]
12 [-prverify filename] [-signature filename] [-sigopt nm:v] [-hmac key]
13 [-mac alg] [-macopt nm:v] [-fips-fingerprint] [-engine id]
14 [-engine_impl id] [-rand files] [-writerand file] [-provider name]
15 [-provider-path path] [-propquery propq] [file ...]
16
18 This command output the message digest of a supplied file or files in
19 hexadecimal, and also generates and verifies digital signatures using
20 message digests.
21
22 The generic name, openssl dgst, may be used with an option specifying
23 the algorithm to be used. The default digest is sha256. A supported
24 digest name may also be used as the sub-command name. To see the list
25 of supported algorithms, use "openssl list -digest-algorithms"
26
28 -help
29 Print out a usage message.
30
31 -digest
32 Specifies name of a supported digest to be used. See option -list
33 below :
34
35 -list
36 Prints out a list of supported message digests.
37
38 -c Print out the digest in two digit groups separated by colons, only
39 relevant if the -hex option is given as well.
40
41 -d, -debug
42 Print out BIO debugging information.
43
44 -hex
45 Digest is to be output as a hex dump. This is the default case for
46 a "normal" digest as opposed to a digital signature. See NOTES
47 below for digital signatures using -hex.
48
49 -binary
50 Output the digest or signature in binary form.
51
52 -xoflen length
53 Set the output length for XOF algorithms, such as shake128.
54
55 -r Output the digest in the "coreutils" format, including newlines.
56 Used by programs like sha1sum(1).
57
58 -out filename
59 Filename to output to, or standard output by default.
60
61 -sign filename|uri
62 Digitally sign the digest using the given private key. Note this
63 option does not support Ed25519 or Ed448 private keys. Use the
64 openssl-pkeyutl(1) command instead for this.
65
66 -keyform DER|PEM|P12|ENGINE
67 The format of the key to sign with; unspecified by default. See
68 openssl-format-options(1) for details.
69
70 -sigopt nm:v
71 Pass options to the signature algorithm during sign or verify
72 operations. Names and values of these options are algorithm-
73 specific.
74
75 -passin arg
76 The private key password source. For more information about the
77 format of arg see openssl-passphrase-options(1).
78
79 -verify filename
80 Verify the signature using the public key in "filename". The
81 output is either "Verified OK" or "Verification Failure".
82
83 -prverify filename
84 Verify the signature using the private key in "filename".
85
86 -signature filename
87 The actual signature to verify.
88
89 -hmac key
90 Create a hashed MAC using "key".
91
92 The openssl-mac(1) command should be preferred to using this
93 command line option.
94
95 -mac alg
96 Create MAC (keyed Message Authentication Code). The most popular
97 MAC algorithm is HMAC (hash-based MAC), but there are other MAC
98 algorithms which are not based on hash, for instance gost-mac
99 algorithm, supported by the gost engine. MAC keys and other options
100 should be set via -macopt parameter.
101
102 The openssl-mac(1) command should be preferred to using this
103 command line option.
104
105 -macopt nm:v
106 Passes options to MAC algorithm, specified by -mac key. Following
107 options are supported by both by HMAC and gost-mac:
108
109 key:string
110 Specifies MAC key as alphanumeric string (use if key contain
111 printable characters only). String length must conform to any
112 restrictions of the MAC algorithm for example exactly 32 chars
113 for gost-mac.
114
115 hexkey:string
116 Specifies MAC key in hexadecimal form (two hex digits per
117 byte). Key length must conform to any restrictions of the MAC
118 algorithm for example exactly 32 chars for gost-mac.
119
120 The openssl-mac(1) command should be preferred to using this
121 command line option.
122
123 -fips-fingerprint
124 Compute HMAC using a specific key for certain OpenSSL-FIPS
125 operations.
126
127 -rand files, -writerand file
128 See "Random State Options" in openssl(1) for details.
129
130 -engine id
131 See "Engine Options" in openssl(1). This option is deprecated.
132
133 The engine is not used for digests unless the -engine_impl option
134 is used or it is configured to do so, see "Engine Configuration
135 Module" in config(5).
136
137 -engine_impl id
138 When used with the -engine option, it specifies to also use engine
139 id for digest operations.
140
141 -provider name
142 -provider-path path
143 -propquery propq
144 See "Provider Options" in openssl(1), provider(7), and property(7).
145
146 file ...
147 File or files to digest. If no files are specified then standard
148 input is used.
149
151 To create a hex-encoded message digest of a file:
152
153 openssl dgst -md5 -hex file.txt
154 or
155 openssl md5 file.txt
156
157 To sign a file using SHA-256 with binary file output:
158
159 openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
160 or
161 openssl sha256 -sign privatekey.pem -out signature.sign file.txt
162
163 To verify a signature:
164
165 openssl dgst -sha256 -verify publickey.pem \
166 -signature signature.sign \
167 file.txt
168
170 The digest mechanisms that are available will depend on the options
171 used when building OpenSSL. The "openssl list -digest-algorithms"
172 command can be used to list them.
173
174 New or agile applications should use probably use SHA-256. Other
175 digests, particularly SHA-1 and MD5, are still widely used for
176 interoperating with existing formats and protocols.
177
178 When signing a file, this command will automatically determine the
179 algorithm (RSA, ECC, etc) to use for signing based on the private key's
180 ASN.1 info. When verifying signatures, it only handles the RSA, DSA,
181 or ECDSA signature itself, not the related data to identify the signer
182 and algorithm used in formats such as x.509, CMS, and S/MIME.
183
184 A source of random numbers is required for certain signing algorithms,
185 in particular ECDSA and DSA.
186
187 The signing and verify options should only be used if a single file is
188 being signed or verified.
189
190 Hex signatures cannot be verified using openssl. Instead, use "xxd -r"
191 or similar program to transform the hex signature into a binary
192 signature prior to verification.
193
194 The openssl-mac(1) command is preferred over the -hmac, -mac and
195 -macopt command line options.
196
198 openssl-mac(1)
199
201 The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
202 The FIPS-related options were removed in OpenSSL 1.1.0.
203
204 The -engine and -engine_impl options were deprecated in OpenSSL 3.0.
205
207 Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
208
209 Licensed under the Apache License 2.0 (the "License"). You may not use
210 this file except in compliance with the License. You can obtain a copy
211 in the file LICENSE in the source distribution or at
212 <https://www.openssl.org/source/license.html>.
213
214
215
2163.0.5 2022-07-05 OPENSSL-DGST(1ossl)