1OPENSSL-DGST(1ossl)                 OpenSSL                OPENSSL-DGST(1ossl)
2
3
4

NAME

6       openssl-dgst - perform digest operations
7

SYNOPSIS

9       openssl dgst|digest [-digest] [-list] [-help] [-c] [-d] [-debug] [-hex]
10       [-binary] [-xoflen length] [-r] [-out filename] [-sign filename|uri]
11       [-keyform DER|PEM|P12|ENGINE] [-passin arg] [-verify filename]
12       [-prverify filename] [-signature filename] [-sigopt nm:v] [-hmac key]
13       [-mac alg] [-macopt nm:v] [-fips-fingerprint] [-engine id]
14       [-engine_impl id] [-rand files] [-writerand file] [-provider name]
15       [-provider-path path] [-propquery propq] [file ...]
16

DESCRIPTION

18       This command output the message digest of a supplied file or files in
19       hexadecimal, and also generates and verifies digital signatures using
20       message digests.
21
22       The generic name, openssl dgst, may be used with an option specifying
23       the algorithm to be used.  The default digest is sha256.  A supported
24       digest name may also be used as the sub-command name.  To see the list
25       of supported algorithms, use "openssl list -digest-algorithms"
26

OPTIONS

28       -help
29           Print out a usage message.
30
31       -digest
32           Specifies name of a supported digest to be used. See option -list
33           below :
34
35       -list
36           Prints out a list of supported message digests.
37
38       -c  Print out the digest in two digit groups separated by colons, only
39           relevant if the -hex option is given as well.
40
41       -d, -debug
42           Print out BIO debugging information.
43
44       -hex
45           Digest is to be output as a hex dump. This is the default case for
46           a "normal" digest as opposed to a digital signature.  See NOTES
47           below for digital signatures using -hex.
48
49       -binary
50           Output the digest or signature in binary form.
51
52       -xoflen length
53           Set the output length for XOF algorithms, such as shake128 and
54           shake256.  This option is not supported for signing operations.
55
56           For OpenSSL providers it is recommended to set this value for shake
57           algorithms, since the default values are set to only supply half of
58           the maximum security strength.
59
60           For backwards compatibility reasons the default xoflen length for
61           shake128 is 16 (bytes) which results in a security strength of only
62           64 bits. To ensure the maximum security strength of 128 bits, the
63           xoflen should be set to at least 32.
64
65           For backwards compatibility reasons the default xoflen length for
66           shake256 is 32 (bytes) which results in a security strength of only
67           128 bits. To ensure the maximum security strength of 256 bits, the
68           xoflen should be set to at least 64.
69
70       -r  Output the digest in the "coreutils" format, including newlines.
71           Used by programs like sha1sum(1).
72
73       -out filename
74           Filename to output to, or standard output by default.
75
76       -sign filename|uri
77           Digitally sign the digest using the given private key. Note this
78           option does not support Ed25519 or Ed448 private keys. Use the
79           openssl-pkeyutl(1) command instead for this.
80
81       -keyform DER|PEM|P12|ENGINE
82           The format of the key to sign with; unspecified by default.  See
83           openssl-format-options(1) for details.
84
85       -sigopt nm:v
86           Pass options to the signature algorithm during sign or verify
87           operations.  Names and values of these options are algorithm-
88           specific.
89
90       -passin arg
91           The private key password source. For more information about the
92           format of arg see openssl-passphrase-options(1).
93
94       -verify filename
95           Verify the signature using the public key in "filename".  The
96           output is either "Verified OK" or "Verification Failure".
97
98       -prverify filename
99           Verify the signature using the private key in "filename".
100
101       -signature filename
102           The actual signature to verify.
103
104       -hmac key
105           Create a hashed MAC using "key".
106
107           The openssl-mac(1) command should be preferred to using this
108           command line option.
109
110       -mac alg
111           Create MAC (keyed Message Authentication Code). The most popular
112           MAC algorithm is HMAC (hash-based MAC), but there are other MAC
113           algorithms which are not based on hash, for instance gost-mac
114           algorithm, supported by the gost engine. MAC keys and other options
115           should be set via -macopt parameter.
116
117           The openssl-mac(1) command should be preferred to using this
118           command line option.
119
120       -macopt nm:v
121           Passes options to MAC algorithm, specified by -mac key.  Following
122           options are supported by both by HMAC and gost-mac:
123
124           key:string
125               Specifies MAC key as alphanumeric string (use if key contain
126               printable characters only). String length must conform to any
127               restrictions of the MAC algorithm for example exactly 32 chars
128               for gost-mac.
129
130           hexkey:string
131               Specifies MAC key in hexadecimal form (two hex digits per
132               byte).  Key length must conform to any restrictions of the MAC
133               algorithm for example exactly 32 chars for gost-mac.
134
135           The openssl-mac(1) command should be preferred to using this
136           command line option.
137
138       -fips-fingerprint
139           Compute HMAC using a specific key for certain OpenSSL-FIPS
140           operations.
141
142       -rand files, -writerand file
143           See "Random State Options" in openssl(1) for details.
144
145       -engine id
146           See "Engine Options" in openssl(1).  This option is deprecated.
147
148           The engine is not used for digests unless the -engine_impl option
149           is used or it is configured to do so, see "Engine Configuration
150           Module" in config(5).
151
152       -engine_impl id
153           When used with the -engine option, it specifies to also use engine
154           id for digest operations.
155
156       -provider name
157       -provider-path path
158       -propquery propq
159           See "Provider Options" in openssl(1), provider(7), and property(7).
160
161       file ...
162           File or files to digest. If no files are specified then standard
163           input is used.
164

EXAMPLES

166       To create a hex-encoded message digest of a file:
167
168        openssl dgst -md5 -hex file.txt
169        or
170        openssl md5 file.txt
171
172       To sign a file using SHA-256 with binary file output:
173
174        openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
175        or
176        openssl sha256 -sign privatekey.pem -out signature.sign file.txt
177
178       To verify a signature:
179
180        openssl dgst -sha256 -verify publickey.pem \
181        -signature signature.sign \
182        file.txt
183

NOTES

185       The digest mechanisms that are available will depend on the options
186       used when building OpenSSL.  The "openssl list -digest-algorithms"
187       command can be used to list them.
188
189       New or agile applications should use probably use SHA-256. Other
190       digests, particularly SHA-1 and MD5, are still widely used for
191       interoperating with existing formats and protocols.
192
193       When signing a file, this command will automatically determine the
194       algorithm (RSA, ECC, etc) to use for signing based on the private key's
195       ASN.1 info.  When verifying signatures, it only handles the RSA, DSA,
196       or ECDSA signature itself, not the related data to identify the signer
197       and algorithm used in formats such as x.509, CMS, and S/MIME.
198
199       A source of random numbers is required for certain signing algorithms,
200       in particular ECDSA and DSA.
201
202       The signing and verify options should only be used if a single file is
203       being signed or verified.
204
205       Hex signatures cannot be verified using openssl.  Instead, use "xxd -r"
206       or similar program to transform the hex signature into a binary
207       signature prior to verification.
208
209       The openssl-mac(1) command is preferred over the -hmac, -mac and
210       -macopt command line options.
211

SEE ALSO

213       openssl-mac(1)
214

HISTORY

216       The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
217       The FIPS-related options were removed in OpenSSL 1.1.0.
218
219       The -engine and -engine_impl options were deprecated in OpenSSL 3.0.
220
222       Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
223
224       Licensed under the Apache License 2.0 (the "License").  You may not use
225       this file except in compliance with the License.  You can obtain a copy
226       in the file LICENSE in the source distribution or at
227       <https://www.openssl.org/source/license.html>.
228
229
230
2313.1.1                             2023-08-31               OPENSSL-DGST(1ossl)
Impressum