xmlsec1 (1) Linux Manual Page

NAME

xmlsec1 – sign, verify, encrypt and decrypt XML documents

SYNOPSIS

xmlsec <command> [<options>] [<files>]

DESCRIPTION

xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed <command> values are:

–help

display this help information and exit

–help-all

display help information for all commands/options and exit

–help-<cmd>

display help information for command <cmd> and exit

–version

print version information and exit

–keys

keys XML file manipulation

–sign

sign data and output XML document

–verify

verify signed document

–sign-tmpl

create and sign dynamicaly generated signature template

–encrypt

encrypt data and output XML document

–decrypt

decrypt data from XML document

OPTIONS

–ignore-manifests

do not process <dsig:Manifest> elements

–store-references

store and print the result of <dsig:Reference/> element processing just before calculating digest

–store-signatures

store and print the result of <dsig:Signature> processing just before calculating signature

–enabled-reference-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:Reference> element

–enable-visa3d-hack

enables Visa3D protocol specific hack for URI attributes processing when we are trying not to use XPath/XPointer engine; this is a hack and I don’t know what else might be broken in your application when you use it (also check "–id-attr" option because you might need it)

–binary-data <file>

binary <file> to encrypt

–xml-data <file>

XML <file> to encrypt

–enabled-cipher-reference-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <enc:CipherReference> element

–session-key <keyKlass>-<keySize>

generate new session <keyKlass> key of <keySize> bits size (for example, "–session des-192" generates a new 192 bits DES key for DES3 encryption)

–output <filename>

write result document to file <filename>

–print-debug

print debug information to stdout

–print-xml-debug

print debug information to stdout in xml format

–dtd-file <file>

load the specified file as the DTD

–node-id <id>

set the operation start point to the node with given <id>

–node-name [<namespace-uri>:]<name>

set the operation start point to the first node with given <name> and <namespace> URI

–node-xpath <expr>

set the operation start point to the first node selected by the specified XPath expression

–id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>

adds attributes <attr-name> (default value "id") from all nodes with<node-name> and namespace <node-namespace-uri> to the list of known ID attributes; this is a hack and if you can use DTD or schema to declare ID attributes instead (see "–dtd-file" option), I don’t know what else might be broken in your application when you use this hack

–enabled-key-data <list>

comma separated list of enabled key data (list of registered key data klasses is available with "–list-key-data" command); by default, all registered key data are enabled

–enabled-retrieval-uris <list>

comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:RetrievalMethod> element.

–gen-key[:<name>] <keyKlass>-<keySize>

generate new <keyKlass> key of <keySize> bits size, set the key name to <name> and add the result to keys manager (for example, "–gen:mykey rsa-1024" generates a new 1024 bits RSA key and sets it’s name to "mykey")

–keys-file <file>

load keys from XML file

–privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[…]]]

load private key from PEM file and certificates that verify this key

–privkey-der[:<name>] <file>[,<cafile>[,<cafile>[…]]]

load private key from DER file and certificates that verify this key

–pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[…]]]

load private key from PKCS8 PEM file and PEM certificates that verify this key

–pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[…]]]

load private key from PKCS8 DER file and DER certificates that verify this key

–pubkey-pem[:<name>] <file>

load public key from PEM file

–pubkey-der[:<name>] <file>

load public key from DER file

–aeskey[:<name>] <file>

load AES key from binary file <file>

–deskey[:<name>] <file>

load DES key from binary file <file>

–hmackey[:<name>] <file>

load HMAC key from binary file <file>

–pwd <password>

the password to use for reading keys and certs

–pkcs12[:<name>] <file>

load load private key from pkcs12 file <file>

–pubkey-cert-pem[:<name>] <file>

load public key from PEM cert file

–pubkey-cert-der[:<name>] <file>

load public key from DER cert file

–trusted-pem <file>

load trusted (root) certificate from PEM file <file>

–untrusted-pem <file>

load untrusted certificate from PEM file <file>

–trusted-der <file>

load trusted (root) certificate from DER file <file>

–untrusted-der <file>

load untrusted certificate from DER file <file>

–verification-time <time>

the local time in "YYYY-MM-DD HH:MM:SS" format used certificates verification

–depth <number>

maximum certificates chain depth

–X509-skip-strict-checks

skip strict checking of X509 data

–crypto <name>

the name of the crypto engine to use from the following list: openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is specified then the default one is used)

–crypto-config <path>

path to crypto engine configuration

–repeat <number>

repeat the operation <number> times

–disable-error-msgs

do not print xmlsec error messages

–print-crypto-error-msgs

print errors stack at the end

–help

print help information about the command

AUTHOR

Written by Aleksey Sanin <aleksey [at] aleksey.com>.

REPORTING BUGS

Report bugs to http://www.aleksey.com/xmlsec/bugs.html

COPYRIGHT

Copyright © 2002-2003 Aleksey Sanin.
This is free software: see the source for copying information.

Index