.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
.TH XMLSEC1 "1" "January 2025" "xmlsec1 1.3.7 (openssl)" "User Commands"
.SH NAME
xmlsec1 \- sign, verify, encrypt and decrypt XML documents
.SH SYNOPSIS
.B xmlsec
\fI\,<command> \/\fR[\fI\,<options>\/\fR] [\fI\,<files>\/\fR]
.SH DESCRIPTION
xmlsec is a command line tool for signing, verifying, encrypting and
decrypting XML documents. The allowed <command> values are:
.TP
\fB\-\-help\fR
display this help information and exit
.TP
\fB\-\-help\-all\fR
display help information for all commands/options and exit
.TP
\fB\-\-help\-\fR<cmd>
display help information for command <cmd> and exit
.TP
\fB\-\-version\fR
print version information and exit
.TP
\fB\-\-keys\fR
keys XML file manipulation
.TP
\fB\-\-sign\fR
sign data and output XML document
.TP
\fB\-\-verify\fR
verify signed document
.TP
\fB\-\-sign\-tmpl\fR
create and sign dynamicaly generated signature template
.TP
\fB\-\-encrypt\fR
encrypt data and output XML document
.TP
\fB\-\-decrypt\fR
decrypt data from XML document
.SH OPTIONS
.HP
\fB\-\-ignore\-manifests\fR
.IP
do not process <dsig:Manifest> elements
.HP
\fB\-\-store\-references\fR
.IP
store and print the result of <dsig:Reference/> element processing
just before calculating digest
.HP
\fB\-\-store\-signatures\fR
.IP
store and print the result of <dsig:Signature> processing
just before calculating signature
.HP
\fB\-\-enabled\-reference\-uris\fR <list>
.IP
comma separated list of of the following values:
"empty", "same\-doc", "local","remote" to restrict possible URI
attribute values for the <dsig:Reference> element
.HP
\fB\-\-enable\-visa3d\-hack\fR
.IP
enables Visa3D protocol specific hack for URI attributes processing
when we are trying not to use XPath/XPointer engine; this is a hack
and I don't know what else might be broken in your application when
you use it (also check "\-\-id\-attr" option because you might need it)
.HP
\fB\-\-hmac\-min\-out\-len\fR <bits>
.IP
sets minimum HMAC output length to <bits>
.HP
\fB\-\-binary\-data\fR <file>
.IP
binary <file> to encrypt
.HP
\fB\-\-xml\-data\fR <file>
.IP
XML <file> to encrypt
.HP
\fB\-\-enabled\-cipher\-reference\-uris\fR <list>
.IP
comma separated list of of the following values:
"empty", "same\-doc", "local","remote" to restrict possible URI
attribute values for the <enc:CipherReference> element
.HP
\fB\-\-session\-key\fR <keyKlass>\-<keySize>
.IP
generate new session <keyKlass> key of <keySize> bits size
(for example, "\-\-session des\-192" generates a new 192 bits
DES key for DES3 encryption)
.HP
\fB\-\-output\fR <filename>
.IP
write result document to file <filename>; the <filename> can
be a template and include '{inputfile}' which will be repaced
with the input filename
.HP
\fB\-\-print\-debug\fR
.IP
print debug information to stdout
.HP
\fB\-\-print\-xml\-debug\fR
.IP
print debug information to stdout in xml format
.HP
\fB\-\-dtd\-file\fR <file>
.IP
load the specified file as the DTD
.HP
\fB\-\-node\-id\fR <id>
.IP
set the operation start point to the node with given <id>
.HP
\fB\-\-node\-name\fR [<namespace\-uri>:]<name>
.IP
set the operation start point to the first node
with given <name> and <namespace> URI
.HP
\fB\-\-node\-xpath\fR <expr>
.IP
set the operation start point to the first node
selected by the specified XPath expression
.HP
\fB\-\-id\-attr[\fR:<attr\-name>] [<node\-namespace\-uri>:]<node\-name>
.IP
adds attributes <attr\-name> (default value "id") from all nodes
with<node\-name> and namespace <node\-namespace\-uri> to the list of
known ID attributes; this is a hack and if you can use DTD or schema
to declare ID attributes instead (see "\-\-dtd\-file" option),
I don't know what else might be broken in your application when
you use this hack
.HP
\fB\-\-enabled\-key\-data\fR <list>
.IP
comma separated list of enabled key data (list of
registered key data klasses is available with "\-\-list\-key\-data"
command); by default, all registered key data are enabled
.HP
\fB\-\-enabled\-retrieval\-method\-uris\fR <list>
.IP
comma separated list of of the following values:
"empty", "same\-doc", "local","remote" to restrict possible URI
attribute values for the <dsig:RetrievalMethod> element.
.HP
\fB\-\-enabled\-key\-info\-reference\-uris\fR <list>
.IP
comma separated list of of the following values:
"empty", "same\-doc", "local","remote" to restrict possible URI
attribute values for the <dsig11:KeyInfoReference> element.
.HP
\fB\-\-gen\-key[\fR:<name>] <keyKlass>\-<keySize>
.IP
generate new <keyKlass> key of <keySize> bits size,
set the key name to <name> and add the result to keys
manager (for example, "\-\-gen:mykey rsa\-1024" generates
a new 1024 bits RSA key and sets it's name to "mykey")
.HP
\fB\-\-keys\-file\fR <file>
.IP
load keys from XML file
.HP
\fB\-\-privkey\-pem[\fR:<name>] <file>[,<cafile>[,<cafile>[...]]]
.IP
load private key from PEM file and certificates
that verify this key
.HP
\fB\-\-privkey\-der[\fR:<name>] <file>[,<cafile>[,<cafile>[...]]]
.IP
load private key from DER file and certificates
that verify this key
.HP
\fB\-\-pkcs8\-pem[\fR:<name>] <file>[,<cafile>[,<cafile>[...]]]
.IP
load private key from PKCS8 PEM file and PEM certificates
that verify this key
.HP
\fB\-\-pkcs8\-der[\fR:<name>] <file>[,<cafile>[,<cafile>[...]]]
.IP
load private key from PKCS8 DER file and DER certificates
that verify this key
.HP
\fB\-\-privkey\-openssl\-store[\fR:<name>] <uri>
.IP
load private key and certs through OpenSSL ossl_store interface (e.g. from HSM)
.HP
\fB\-\-privkey\-openssl\-engine[\fR:<name>] <openssl\-engine>;<openssl\-key\-id>[,<crtfile>[,<crtfile>[...]]]
.IP
load private key by OpenSSL ENGINE interface; specify the name of engine
(like with \fB\-engine\fR params), the key specs (like with \fB\-inkey\fR or \fB\-key\fR params)
and optionally certificates that verify this key
.HP
\fB\-\-pubkey\-pem[\fR:<name>] <file>
.IP
load public key from PEM file
.HP
\fB\-\-pubkey\-der[\fR:<name>] <file>
.IP
load public key from DER file
.HP
\fB\-\-pubkey\-openssl\-store[\fR:<name>] <uri>
.IP
load pubkey key and certs through OpenSSL ossl_store interface (e.g. from HSM)
.HP
\fB\-\-pubkey\-openssl\-engine[\fR:<name>] <openssl\-engine>;<openssl\-key\-id>[,<crtfile>[,<crtfile>[...]]]
.IP
load public key by OpenSSL ENGINE interface; specify the name of engine
(like with \fB\-engine\fR params), the key specs (like with \fB\-inkey\fR or \fB\-key\fR params)
and optionally certificates that verify this key
.HP
\fB\-\-pwd\fR <password>
.IP
the password to use for reading keys and certs
.HP
\fB\-\-lax\-key\-search\fR
.IP
enable lax key search (e.g. by key type like "rsa") vs default strict key search
mode using only information from <dsig:KeyInfo/> node (e.g. key name)
.HP
\fB\-\-verify\-keys\fR
.IP
force verification of public/private keys loaded from the command: keys are required
to have a key certificate that will be verified against the certificates in the key store
.HP
\fB\-\-aes\-key[\fR:<name>] <file>
.IP
load AES key from binary file <file>
.HP
\fB\-\-concatkdf\-key[\fR:<name>] <file>
.IP
load ConcatKDF key from binary file <file>
.HP
\fB\-\-des\-key[\fR:<name>] <file>
.IP
load DES key from binary file <file>
.HP
\fB\-\-hmac\-key[\fR:<name>] <file>
.IP
load HMAC key from binary file <file>
.HP
\fB\-\-pbkdf2\-key[\fR:<name>] <file>
.IP
load Pbkdf2 key from binary file <file>
.HP
\fB\-\-pkcs12[\fR:<name>] <file>
.IP
load load private key from pkcs12 file <file>
.HP
\fB\-\-pkcs12\-persist\fR
.IP
persist loaded private key
.HP
\fB\-\-pubkey\-cert\-pem[\fR:<name>] <file>
.IP
load public key from PEM cert file
.HP
\fB\-\-pubkey\-cert\-der[\fR:<name>] <file>
.IP
load public key from DER cert file
.HP
\fB\-\-trusted\-pem\fR <file>
.IP
load trusted (root) certificate from PEM file <file>
.HP
\fB\-\-untrusted\-pem\fR <file>
.IP
load untrusted certificate from PEM file <file>
.HP
\fB\-\-trusted\-der\fR <file>
.IP
load trusted (root) certificate from DER file <file>
.HP
\fB\-\-untrusted\-der\fR <file>
.IP
load untrusted certificate from DER file <file>
.HP
\fB\-\-crl\-pem\fR <file>
.IP
load CRLs from PEM file <file>
.HP
\fB\-\-crl\-der\fR <file>
.IP
load CRLs from DER file <file>
.HP
\fB\-\-verification\-time\fR <time>
.IP
the local time in "YYYY\-MM\-DD HH:MM:SS" format
used certificates verification
.HP
\fB\-\-verification\-gmt\-time\fR <time>
.IP
the GMT time in "YYYY\-MM\-DD HH:MM:SS" format
used certificates verification
.HP
\fB\-\-X509\-skip\-time\-checks\fR
.IP
skip time checking of X509 certificates and CLRs
.HP
\fB\-\-depth\fR <number>
.IP
maximum certificates chain depth
.HP
\fB\-\-X509\-skip\-strict\-checks\fR
.IP
skip strict checking of X509 data
.HP
\fB\-\-insecure\fR
.IP
do not verify certificates
.HP
\fB\-\-crypto\fR <name>
.IP
the name of the crypto engine to use from the following
list: openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is
specified then the default one is used)
.HP
\fB\-\-crypto\-config\fR <path>
.IP
path to crypto engine configuration
.HP
\fB\-\-verbose\fR
.IP
print detailed error messages
.HP
\fB\-\-repeat\fR <number>
.IP
repeat the operation <number> times
.HP
\fB\-\-base64\-line\-size\fR <size>
.IP
sets the max line size for base64 encodings to <size>
.HP
\fB\-\-transform\-binary\-chunk\-size\fR <size>
.IP
sets the transforms binary processing chunk size to <size>;
increasing chunk size might improve performance at the expense
of increased memory usage
.HP
\fB\-\-xxe\fR
.IP
enable External Entity resolution.
WARNING: this may allow the reading of arbitrary files and URLs,
controlled by the input XML document.  Use with caution!
.HP
\fB\-\-url\-map\fR:<url> <file>
.IP
maps a given <url> to the given <file> for loading external resources
.HP
\fB\-\-help\fR
.IP
print help information about the command
.SH AUTHOR
Written by Aleksey Sanin <aleksey@aleksey.com>.
.SH "REPORTING BUGS"
Report bugs to http://www.aleksey.com/xmlsec/bugs.html
.SH COPYRIGHT
Copyright \(co 2002\-2024 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved..
.br
This is free software: see the source for copying information.