XMLSEC1

NAME

SYNOPSIS

DESCRIPTION

--help

display this help information and exit

--help-all

display help information for all commands/options and exit

--help-<cmd>

display help information for command <cmd> and exit

--version

print version information and exit

--keys

keys XML file manipulation

--sign

sign data and output XML document

--verify

verify signed document

--sign-tmpl

create and sign dynamicaly generated signature template

--encrypt

encrypt data and output XML document

--decrypt

decrypt data from XML document

OPTIONS

--ignore-manifests

do not process <dsig:Manifest> elements

--store-references

store and print the result of <dsig:Reference/> element processing just before calculating digest

--store-signatures

store and print the result of <dsig:Signature> processing just before calculating signature

--enabled-reference-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:Reference> element

--enable-visa3d-hack

enables Visa3D protocol specific hack for URI attributes processing when we are trying not to use XPath/XPointer engine; this is a hack and I don't know what else might be broken in your application when you use it (also check "--id-attr" option because you might need it)

--hmac-min-out-len <bits>

sets minimum HMAC output length to <bits>

--binary-data <file>

binary <file> to encrypt

--xml-data <file>

XML <file> to encrypt

--enabled-cipher-reference-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <enc:CipherReference> element

--session-key <keyKlass>-<keySize>

generate new session <keyKlass> key of <keySize> bits size (for example, "--session des-192" generates a new 192 bits DES key for DES3 encryption)

--output <filename>

write result document to file <filename>; the <filename> can be a template and include '{inputfile}' which will be repaced with the input filename

--print-debug

print debug information to stdout

--print-xml-debug

print debug information to stdout in xml format

--dtd-file <file>

load the specified file as the DTD

--node-id <id>

set the operation start point to the node with given <id>

--node-name [<namespace-uri>:]<name>

set the operation start point to the first node with given <name> and <namespace> URI

--node-xpath <expr>

set the operation start point to the first node selected by the specified XPath expression

--id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>

adds attributes <attr-name> (default value "id") from all nodes with<node-name> and namespace <node-namespace-uri> to the list of known ID attributes; this is a hack and if you can use DTD or schema to declare ID attributes instead (see "--dtd-file" option), I don't know what else might be broken in your application when you use this hack

--enabled-key-data <list>

comma separated list of enabled key data (list of registered key data klasses is available with "--list-key-data" command); by default, all registered key data are enabled

--enabled-retrieval-method-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:RetrievalMethod> element.

--enabled-key-info-reference-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig11:KeyInfoReference> element.

--gen-key[:<name>] <keyKlass>-<keySize>

generate new <keyKlass> key of <keySize> bits size, set the key name to <name> and add the result to keys manager (for example, "--gen:mykey rsa-1024" generates a new 1024 bits RSA key and sets it's name to "mykey")

--keys-file <file>

load keys from XML file

--privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]

load private key from PEM file and certificates that verify this key

--privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]

load private key from DER file and certificates that verify this key

--pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]

load private key from PKCS8 PEM file and PEM certificates that verify this key

--pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]

load private key from PKCS8 DER file and DER certificates that verify this key

--privkey-openssl-store[:<name>] <uri>

load private key and certs through OpenSSL ossl_store interface (e.g. from HSM)

--privkey-openssl-engine[:<name>] <openssl-engine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]

load private key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key

--pubkey-pem[:<name>] <file>

load public key from PEM file

--pubkey-der[:<name>] <file>

load public key from DER file

--pubkey-openssl-store[:<name>] <uri>

load pubkey key and certs through OpenSSL ossl_store interface (e.g. from HSM)

--pubkey-openssl-engine[:<name>] <openssl-engine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]]

load public key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key

--pwd <password>

the password to use for reading keys and certs

--lax-key-search

enable lax key search (e.g. by key type like "rsa") vs default strict key search mode using only information from <dsig:KeyInfo/> node (e.g. key name)

--verify-keys

force verification of public/private keys loaded from the command: keys are required to have a key certificate that will be verified against the certificates in the key store

--aes-key[:<name>] <file>

load AES key from binary file <file>

--concatkdf-key[:<name>] <file>

load ConcatKDF key from binary file <file>

--des-key[:<name>] <file>

load DES key from binary file <file>

--hmac-key[:<name>] <file>

load HMAC key from binary file <file>

--pbkdf2-key[:<name>] <file>

load Pbkdf2 key from binary file <file>

--pkcs12[:<name>] <file>

load load private key from pkcs12 file <file>

--pkcs12-persist

persist loaded private key

--pubkey-cert-pem[:<name>] <file>

load public key from PEM cert file

--pubkey-cert-der[:<name>] <file>

load public key from DER cert file

--trusted-pem <file>

load trusted (root) certificate from PEM file <file>

--untrusted-pem <file>

load untrusted certificate from PEM file <file>

--trusted-der <file>

load trusted (root) certificate from DER file <file>

--untrusted-der <file>

load untrusted certificate from DER file <file>

--crl-pem <file>

load CRLs from PEM file <file>

--crl-der <file>

load CRLs from DER file <file>

--verification-time <time>

the local time in "YYYY-MM-DD HH:MM:SS" format used certificates verification

--verification-gmt-time <time>

the GMT time in "YYYY-MM-DD HH:MM:SS" format used certificates verification

--depth <number>

maximum certificates chain depth

--X509-skip-strict-checks

skip strict checking of X509 data

--insecure

do not verify certificates

--crypto <name>

the name of the crypto engine to use from the following list: openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is specified then the default one is used)

--crypto-config <path>

path to crypto engine configuration

--verbose

print detailed error messages

--repeat <number>

repeat the operation <number> times

--base64-line-size <size>

sets the max line size for base64 encodings to <size>

--transform-binary-chunk-size <size>

sets the transforms binary processing chunk size to <size>; increasing chunk size might improve performance at the expense of increased memory usage

--xxe

enable External Entity resolution. WARNING: this may allow the reading of arbitrary files and URLs, controlled by the input XML document. Use with caution!

--url-map:<url> <file>

maps a given <url> to the given <file> for loading external resources

--help

print help information about the command

AUTHOR

REPORTING BUGS

COPYRIGHT

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

AUTHOR

REPORTING BUGS

COPYRIGHT