Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

xmlsec1 (1)

Name

xmlsec1 - sign, verify, encrypt and decrypt XML documents

Synopsis

xmlsec <command> [<options>] [<files>]

Description

XMLSEC1(1)                       User Commands                      XMLSEC1(1)



NAME
       xmlsec1 - sign, verify, encrypt and decrypt XML documents

SYNOPSIS
       xmlsec <command> [<options>] [<files>]

DESCRIPTION
       xmlsec  is  a  command line tool for signing, verifying, encrypting and
       decrypting XML documents. The allowed <command> values are:

       --help display this help information and exit

       --help-all
              display help information for all commands/options and exit

       --help-<cmd>
              display help information for command <cmd> and exit

       --version
              print version information and exit

       --keys keys XML file manipulation

       --sign sign data and output XML document

       --verify
              verify signed document

       --sign-tmpl
              create and sign dynamicaly generated signature template

       --encrypt
              encrypt data and output XML document

       --decrypt
              decrypt data from XML document

OPTIONS
       --ignore-manifests

              do not process <dsig:Manifest> elements

       --store-references

              store and print the result of <dsig:Reference/> element process-
              ing just before calculating digest

       --store-signatures

              store  and  print the result of <dsig:Signature> processing just
              before calculating signature

       --enabled-reference-uris <list>

              comma separated  list  of  of  the  following  values:  "empty",
              "same-doc",  "local","remote" to restrict possible URI attribute
              values for the <dsig:Reference> element

       --enable-visa3d-hack

              enables Visa3D protocol specific hack for  URI  attributes  pro-
              cessing  when  we  are  trying not to use XPath/XPointer engine;
              this is a hack and I don't know what else  might  be  broken  in
              your  application when you use it (also check "--id-attr" option
              because you might need it)

       --binary-data <file>

              binary <file> to encrypt

       --xml-data <file>

              XML <file> to encrypt

       --enabled-cipher-reference-uris <list>

              comma separated  list  of  of  the  following  values:  "empty",
              "same-doc",  "local","remote" to restrict possible URI attribute
              values for the <enc:CipherReference> element

       --session-key <keyKlass>-<keySize>

              generate new session <keyKlass> key of <keySize> bits size  (for
              example,  "--session  des-192"  generates a new 192 bits DES key
              for DES3 encryption)

       --output <filename>

              write result document to file <filename>

       --print-debug

              print debug information to stdout

       --print-xml-debug

              print debug information to stdout in xml format

       --dtd-file <file>

              load the specified file as the DTD

       --node-id <id>

              set the operation start point to the node with given <id>

       --node-name [<namespace-uri>:]<name>

              set the operation start point  to  the  first  node  with  given
              <name> and <namespace> URI

       --node-xpath <expr>

              set  the operation start point to the first node selected by the
              specified XPath expression

       --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>

              adds attributes <attr-name> (default value "id") from all  nodes
              with<node-name>  and  namespace <node-namespace-uri> to the list
              of known ID attributes; this is a hack and if you can use DTD or
              schema  to  declare  ID  attributes  instead  (see  "--dtd-file"
              option), I don't know what else might be broken in your applica-
              tion when you use this hack

       --enabled-key-data <list>

              comma separated list of enabled key data (list of registered key
              data klasses is available with  "--list-key-data"  command);  by
              default, all registered key data are enabled

       --enabled-retrieval-uris <list>

              comma  separated  list  of  of  the  following  values: "empty",
              "same-doc", "local","remote" to restrict possible URI  attribute
              values for the <dsig:RetrievalMethod> element.

       --gen-key[:<name>] <keyKlass>-<keySize>

              generate  new <keyKlass> key of <keySize> bits size, set the key
              name to <name> and add the result to keys manager (for  example,
              "--gen:mykey  rsa-1024"  generates  a  new 1024 bits RSA key and
              sets it's name to "mykey")

       --keys-file <file>

              load keys from XML file

       --privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]

              load private key from PEM file and certificates that verify this
              key

       --privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]

              load private key from DER file and certificates that verify this
              key

       --pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]]

              load private key from PKCS8 PEM file and PEM  certificates  that
              verify this key

       --pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]]

              load  private  key from PKCS8 DER file and DER certificates that
              verify this key

       --pubkey-pem[:<name>] <file>

              load public key from PEM file

       --pubkey-der[:<name>] <file>

              load public key from DER file

       --aeskey[:<name>] <file>

              load AES key from binary file <file>

       --deskey[:<name>] <file>

              load DES key from binary file <file>

       --hmackey[:<name>] <file>

              load HMAC key from binary file <file>

       --pwd <password>

              the password to use for reading keys and certs

       --pkcs12[:<name>] <file>

              load load private key from pkcs12 file <file>

       --pkcs12-persist

              persist loaded private key

       --pubkey-cert-pem[:<name>] <file>

              load public key from PEM cert file

       --pubkey-cert-der[:<name>] <file>

              load public key from DER cert file

       --trusted-pem <file>

              load trusted (root) certificate from PEM file <file>

       --untrusted-pem <file>

              load untrusted certificate from PEM file <file>

       --trusted-der <file>

              load trusted (root) certificate from DER file <file>

       --untrusted-der <file>

              load untrusted certificate from DER file <file>

       --verification-time <time>

              the local time in "YYYY-MM-DD HH:MM:SS" format used certificates
              verification

       --depth <number>

              maximum certificates chain depth

       --X509-skip-strict-checks

              skip strict checking of X509 data

       --insecure

              do not verify certificates

       --crypto <name>

              the  name  of  the crypto engine to use from the following list:
              openssl, mscrypto, nss, gnutls, gcrypt (if no crypto  engine  is
              specified then the default one is used)

       --crypto-config <path>

              path to crypto engine configuration

       --repeat <number>

              repeat the operation <number> times

       --disable-error-msgs

              do not print xmlsec error messages

       --print-crypto-error-msgs

              print errors stack at the end

       --help

              print help information about the command

       --xxe

              enable  External Entity resolution.  WARNING: this may allow the
              reading of arbitrary files and URLs, controlled by the input XML
              document.  Use with caution!

       --url-map:<url> <file>

              maps  a  given  <url>  to  the given <file> for loading external
              resources

AUTHOR
       Written by Aleksey Sanin <aleksey@aleksey.com>.

REPORTING BUGS
       Report bugs to http://www.aleksey.com/xmlsec/bugs.html

COPYRIGHT
       Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights
       Reserved..
       This is free software: see the source for copying information.



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+------------------+
       |ATTRIBUTE TYPE | ATTRIBUTE VALUE  |
       +---------------+------------------+
       |Availability   | library/xmlsec   |
       +---------------+------------------+
       |Stability      | Volatile         |
       +---------------+------------------+

NOTES
       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source   was   downloaded   from    http://www.aleksey.com/xmlsec/down-
       load/xmlsec1-1.2.28.tar.gz.

       Further information about this software can be found on the open source
       community website at https://www.aleksey.com/xmlsec.



xmlsec1 1.2.28 (openssl)          April 2019                        XMLSEC1(1)