1XMLSEC1(1)                       User Commands                      XMLSEC1(1)
2
3
4

NAME

6       xmlsec1 - sign, verify, encrypt and decrypt XML documents
7

SYNOPSIS

9       xmlsec <command> [<options>] [<files>]
10

DESCRIPTION

12       xmlsec  is  a  command line tool for signing, verifying, encrypting and
13       decrypting XML documents. The allowed <command> values are:
14
15       --help display this help information and exit
16
17       --help-all
18              display help information for all commands/options and exit
19
20       --help-<cmd>
21              display help information for command <cmd> and exit
22
23       --version
24              print version information and exit
25
26       --keys keys XML file manipulation
27
28       --sign sign data and output XML document
29
30       --verify
31              verify signed document
32
33       --sign-tmpl
34              create and sign dynamicaly generated signature template
35
36       --encrypt
37              encrypt data and output XML document
38
39       --decrypt
40              decrypt data from XML document
41

OPTIONS

43       --ignore-manifests
44
45              do not process <dsig:Manifest> elements
46
47       --store-references
48
49              store and print the result of <dsig:Reference/> element process‐
50              ing just before calculating digest
51
52       --store-signatures
53
54              store  and  print the result of <dsig:Signature> processing just
55              before calculating signature
56
57       --enabled-reference-uris <list>
58
59              comma separated  list  of  of  the  following  values:  "empty",
60              "same-doc",  "local","remote" to restrict possible URI attribute
61              values for the <dsig:Reference> element
62
63       --enable-visa3d-hack
64
65              enables Visa3D protocol specific hack for  URI  attributes  pro‐
66              cessing  when  we  are  trying not to use XPath/XPointer engine;
67              this is a hack and I don't know what else  might  be  broken  in
68              your  application when you use it (also check "--id-attr" option
69              because you might need it)
70
71       --binary-data <file>
72
73              binary <file> to encrypt
74
75       --xml-data <file>
76
77              XML <file> to encrypt
78
79       --enabled-cipher-reference-uris <list>
80
81              comma separated  list  of  of  the  following  values:  "empty",
82              "same-doc",  "local","remote" to restrict possible URI attribute
83              values for the <enc:CipherReference> element
84
85       --session-key <keyKlass>-<keySize>
86
87              generate new session <keyKlass> key of <keySize> bits size  (for
88              example,  "--session  des-192"  generates a new 192 bits DES key
89              for DES3 encryption)
90
91       --output <filename>
92
93              write result document to file <filename>
94
95       --print-debug
96
97              print debug information to stdout
98
99       --print-xml-debug
100
101              print debug information to stdout in xml format
102
103       --dtd-file <file>
104
105              load the specified file as the DTD
106
107       --node-id <id>
108
109              set the operation start point to the node with given <id>
110
111       --node-name [<namespace-uri>:]<name>
112
113              set the operation start point  to  the  first  node  with  given
114              <name> and <namespace> URI
115
116       --node-xpath <expr>
117
118              set  the operation start point to the first node selected by the
119              specified XPath expression
120
121       --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
122
123              adds attributes <attr-name> (default value "id") from all  nodes
124              with<node-name>  and  namespace <node-namespace-uri> to the list
125              of known ID attributes; this is a hack and if you can use DTD or
126              schema  to  declare  ID attributes instead (see "--dtd-file" op‐
127              tion), I don't know what else might be broken in  your  applica‐
128              tion when you use this hack
129
130       --enabled-key-data <list>
131
132              comma separated list of enabled key data (list of registered key
133              data klasses is available with  "--list-key-data"  command);  by
134              default, all registered key data are enabled
135
136       --enabled-retrieval-uris <list>
137
138              comma  separated  list  of  of  the  following  values: "empty",
139              "same-doc", "local","remote" to restrict possible URI  attribute
140              values for the <dsig:RetrievalMethod> element.
141
142       --gen-key[:<name>] <keyKlass>-<keySize>
143
144              generate  new <keyKlass> key of <keySize> bits size, set the key
145              name to <name> and add the result to keys manager (for  example,
146              "--gen:mykey  rsa-1024"  generates  a  new 1024 bits RSA key and
147              sets it's name to "mykey")
148
149       --keys-file <file>
150
151              load keys from XML file
152
153       --privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
154
155              load private key from PEM file and certificates that verify this
156              key
157
158       --privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
159
160              load private key from DER file and certificates that verify this
161              key
162
163       --pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]
164
165              load private key from PKCS8 PEM file and PEM  certificates  that
166              verify this key
167
168       --pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]
169
170              load  private  key from PKCS8 DER file and DER certificates that
171              verify this key
172
173       --pubkey-pem[:<name>] <file>
174
175              load public key from PEM file
176
177       --pubkey-der[:<name>] <file>
178
179              load public key from DER file
180
181       --aeskey[:<name>] <file>
182
183              load AES key from binary file <file>
184
185       --deskey[:<name>] <file>
186
187              load DES key from binary file <file>
188
189       --hmackey[:<name>] <file>
190
191              load HMAC key from binary file <file>
192
193       --pwd <password>
194
195              the password to use for reading keys and certs
196
197       --pkcs12[:<name>] <file>
198
199              load load private key from pkcs12 file <file>
200
201       --pkcs12-persist
202
203              persist loaded private key
204
205       --pubkey-cert-pem[:<name>] <file>
206
207              load public key from PEM cert file
208
209       --pubkey-cert-der[:<name>] <file>
210
211              load public key from DER cert file
212
213       --trusted-pem <file>
214
215              load trusted (root) certificate from PEM file <file>
216
217       --untrusted-pem <file>
218
219              load untrusted certificate from PEM file <file>
220
221       --trusted-der <file>
222
223              load trusted (root) certificate from DER file <file>
224
225       --untrusted-der <file>
226
227              load untrusted certificate from DER file <file>
228
229       --verification-time <time>
230
231              the local time in "YYYY-MM-DD HH:MM:SS" format used certificates
232              verification
233
234       --verification-gmt-time <time>
235
236              the  GMT  time in "YYYY-MM-DD HH:MM:SS" format used certificates
237              verification
238
239       --depth <number>
240
241              maximum certificates chain depth
242
243       --X509-skip-strict-checks
244
245              skip strict checking of X509 data
246
247       --insecure
248
249              do not verify certificates
250
251       --privkey-openssl-engine[:<name>]                          <openssl-en‐
252              gine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]
253
254              load  private  key by OpenSSL ENGINE interface; specify the name
255              of engine (like with -engine params), the key specs  (like  with
256              -inkey  or  -key params) and optionally certificates that verify
257              this key
258
259       --crypto <name>
260
261              the name of the crypto engine to use from  the  following  list:
262              openssl,  mscrypto,  nss, gnutls, gcrypt (if no crypto engine is
263              specified then the default one is used)
264
265       --crypto-config <path>
266
267              path to crypto engine configuration
268
269       --repeat <number>
270
271              repeat the operation <number> times
272
273       --disable-error-msgs
274
275              do not print xmlsec error messages
276
277       --print-crypto-error-msgs
278
279              print errors stack at the end
280
281       --help
282
283              print help information about the command
284
285       --xxe
286
287              enable External Entity resolution.  WARNING: this may allow  the
288              reading of arbitrary files and URLs, controlled by the input XML
289              document.  Use with caution!
290
291       --url-map:<url> <file>
292
293              maps a given <url> to the given <file> for loading external  re‐
294              sources
295

AUTHOR

297       Written by Aleksey Sanin <aleksey@aleksey.com>.
298

REPORTING BUGS

300       Report bugs to http://www.aleksey.com/xmlsec/bugs.html
301

303       Copyright  ©  2002-2022 Aleksey Sanin <aleksey@aleksey.com>. All Rights
304       Reserved..
305       This is free software: see the source for copying information.
306
307
308
309xmlsec1 1.2.37 (openssl)         November 2022                      XMLSEC1(1)
Impressum