FreeBSD Manual Pages
XMLSEC1(1) User Commands XMLSEC1(1) NAME xmlsec1 - sign, verify, encrypt and decrypt XML documents SYNOPSIS xmlsec <command> [<options>] [<files>] DESCRIPTION xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed <command> values are: --help display this help information and exit --help-all display help information for all commands/options and exit --help-<cmd> display help information for command <cmd> and exit --version print version information and exit --keys keys XML file manipulation --sign sign data and output XML document --verify verify signed document --sign-tmpl create and sign dynamicaly generated signature template --encrypt encrypt data and output XML document --decrypt decrypt data from XML document OPTIONS --ignore-manifests do not process <dsig:Manifest> elements --store-references store and print the result of <dsig:Reference/> element process- ing just before calculating digest --store-signatures store and print the result of <dsig:Signature> processing just before calculating signature --enabled-reference-uris <list> comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:Reference> element --enable-visa3d-hack enables Visa3D protocol specific hack for URI attributes pro- cessing when we are trying not to use XPath/XPointer engine; this is a hack and I don't know what else might be broken in your application when you use it (also check "--id-attr" option because you might need it) --hmac-min-out-len <bits> sets minimum HMAC output length to <bits> --binary-data <file> binary <file> to encrypt --xml-data <file> XML <file> to encrypt --enabled-cipher-reference-uris <list> comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <enc:CipherReference> element --session-key <keyKlass>-<keySize> generate new session <keyKlass> key of <keySize> bits size (for example, "--session des-192" generates a new 192 bits DES key for DES3 encryption) --output <filename> write result document to file <filename>; the <filename> can be a template and include '{inputfile}' which will be repaced with the input filename --print-debug print debug information to stdout --print-xml-debug print debug information to stdout in xml format --dtd-file <file> load the specified file as the DTD --node-id <id> set the operation start point to the node with given <id> --node-name [<namespace-uri>:]<name> set the operation start point to the first node with given <name> and <namespace> URI --node-xpath <expr> set the operation start point to the first node selected by the specified XPath expression --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name> adds attributes <attr-name> (default value "id") from all nodes with<node-name> and namespace <node-namespace-uri> to the list of known ID attributes; this is a hack and if you can use DTD or schema to declare ID attributes instead (see "--dtd-file" op- tion), I don't know what else might be broken in your applica- tion when you use this hack --enabled-key-data <list> comma separated list of enabled key data (list of registered key data klasses is available with "--list-key-data" command); by default, all registered key data are enabled --enabled-retrieval-method-uris <list> comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig:RetrievalMethod> element. --enabled-key-info-reference-uris <list> comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the <dsig11:KeyInfoReference> element. --gen-key[:<name>] <keyKlass>-<keySize> generate new <keyKlass> key of <keySize> bits size, set the key name to <name> and add the result to keys manager (for example, "--gen:mykey rsa-1024" generates a new 1024 bits RSA key and sets it's name to "mykey") --keys-file <file> load keys from XML file --privkey-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]] load private key from PEM file and certificates that verify this key --privkey-der[:<name>] <file>[,<cafile>[,<cafile>[...]]] load private key from DER file and certificates that verify this key --pkcs8-pem[:<name>] <file>[,<cafile>[,<cafile>[...]]] load private key from PKCS8 PEM file and PEM certificates that verify this key --pkcs8-der[:<name>] <file>[,<cafile>[,<cafile>[...]]] load private key from PKCS8 DER file and DER certificates that verify this key --privkey-openssl-store[:<name>] <uri> load private key and certs through OpenSSL ossl_store interface (e.g. from HSM) --privkey-openssl-engine[:<name>] <openssl-en- gine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]] load private key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key --pubkey-pem[:<name>] <file> load public key from PEM file --pubkey-der[:<name>] <file> load public key from DER file --pubkey-openssl-store[:<name>] <uri> load pubkey key and certs through OpenSSL ossl_store interface (e.g. from HSM) --pubkey-openssl-engine[:<name>] <openssl-en- gine>;<openssl-key-id>[,<crtfile>[,<crtfile>[...]]] load public key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key --pwd <password> the password to use for reading keys and certs --lax-key-search enable lax key search (e.g. by key type like "rsa") vs default strict key search mode using only information from <dsig:Key- Info/> node (e.g. key name) --verify-keys force verification of public/private keys loaded from the com- mand: keys are required to have a key certificate that will be verified against the certificates in the key store --aes-key[:<name>] <file> load AES key from binary file <file> --concatkdf-key[:<name>] <file> load ConcatKDF key from binary file <file> --des-key[:<name>] <file> load DES key from binary file <file> --hmac-key[:<name>] <file> load HMAC key from binary file <file> --pbkdf2-key[:<name>] <file> load Pbkdf2 key from binary file <file> --pkcs12[:<name>] <file> load load private key from pkcs12 file <file> --pkcs12-persist persist loaded private key --pubkey-cert-pem[:<name>] <file> load public key from PEM cert file --pubkey-cert-der[:<name>] <file> load public key from DER cert file --trusted-pem <file> load trusted (root) certificate from PEM file <file> --untrusted-pem <file> load untrusted certificate from PEM file <file> --trusted-der <file> load trusted (root) certificate from DER file <file> --untrusted-der <file> load untrusted certificate from DER file <file> --crl-pem <file> load CRLs from PEM file <file> --crl-der <file> load CRLs from DER file <file> --verification-time <time> the local time in "YYYY-MM-DD HH:MM:SS" format used certificates verification --verification-gmt-time <time> the GMT time in "YYYY-MM-DD HH:MM:SS" format used certificates verification --depth <number> maximum certificates chain depth --X509-skip-strict-checks skip strict checking of X509 data --insecure do not verify certificates --crypto <name> the name of the crypto engine to use from the following list: openssl, mscrypto, nss, gnutls, gcrypt (if no crypto engine is specified then the default one is used) --crypto-config <path> path to crypto engine configuration --verbose print detailed error messages --repeat <number> repeat the operation <number> times --base64-line-size <size> sets the max line size for base64 encodings to <size> --transform-binary-chunk-size <size> sets the transforms binary processing chunk size to <size>; in- creasing chunk size might improve performance at the expense of increased memory usage --xxe enable External Entity resolution. WARNING: this may allow the reading of arbitrary files and URLs, controlled by the input XML document. Use with caution! --url-map:<url> <file> maps a given <url> to the given <file> for loading external re- sources --help print help information about the command AUTHOR Written by Aleksey Sanin <aleksey@aleksey.com>. REPORTING BUGS Report bugs to http://www.aleksey.com/xmlsec/bugs.html COPYRIGHT Copyright (C) 2002-2024 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved.. This is free software: see the source for copying information. xmlsec1 1.3.6 (openssl) October 2024 XMLSEC1(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | AUTHOR | REPORTING BUGS | COPYRIGHT
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=xmlsec1&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>