XMLSEC1(1) User Commands XMLSEC1(1) NAME xmlsec1 - sign, verify, encrypt and decrypt XML documents SYNOPSIS xmlsec [] [] DESCRIPTION xmlsec is a command line tool for signing, verifying, encrypting and decrypting XML documents. The allowed values are: --help display this help information and exit --help-all display help information for all commands/options and exit --help- display help information for command and exit --version print version information and exit --keys keys XML file manipulation --sign sign data and output XML document --verify verify signed document --sign-tmpl create and sign dynamicaly generated signature template --encrypt encrypt data and output XML document --decrypt decrypt data from XML document OPTIONS --ignore-manifests do not process elements --store-references store and print the result of element processing just before calculating digest --store-signatures store and print the result of processing just before calculating signature --enabled-reference-uris comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the element --enable-visa3d-hack enables Visa3D protocol specific hack for URI attributes processing when we are trying not to use XPath/XPointer engine; this is a hack and I don't know what else might be broken in your application when you use it (also check "--id-attr" option because you might need it) --hmac-min-out-len sets minimum HMAC output length to --binary-data binary to encrypt --xml-data XML to encrypt --enabled-cipher-reference-uris comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the element --session-key - generate new session key of bits size (for example, "--session des-192" generates a new 192 bits DES key for DES3 encryption) --output write result document to file ; the can be a template and include '{inputfile}' which will be repaced with the input filename --print-debug print debug information to stdout --print-xml-debug print debug information to stdout in xml format --dtd-file load the specified file as the DTD --node-id set the operation start point to the node with given --node-name [:] set the operation start point to the first node with given and URI --node-xpath set the operation start point to the first node selected by the specified XPath expression --id-attr[:] [:] adds attributes (default value "id") from all nodes with and namespace to the list of known ID attributes; this is a hack and if you can use DTD or schema to declare ID attributes instead (see "--dtd-file" option), I don't know what else might be broken in your application when you use this hack --enabled-key-data comma separated list of enabled key data (list of registered key data klasses is available with "--list-key-data" command); by default, all registered key data are enabled --enabled-retrieval-method-uris comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the element. --enabled-key-info-reference-uris comma separated list of of the following values: "empty", "same-doc", "local","remote" to restrict possible URI attribute values for the element. --gen-key[:] - generate new key of bits size, set the key name to and add the result to keys manager (for example, "--gen:mykey rsa-1024" generates a new 1024 bits RSA key and sets it's name to "mykey") --keys-file load keys from XML file --privkey-pem[:] [,[,[...]]] load private key from PEM file and certificates that verify this key --privkey-der[:] [,[,[...]]] load private key from DER file and certificates that verify this key --pkcs8-pem[:] [,[,[...]]] load private key from PKCS8 PEM file and PEM certificates that verify this key --pkcs8-der[:] [,[,[...]]] load private key from PKCS8 DER file and DER certificates that verify this key --privkey-openssl-store[:] load private key and certs through OpenSSL ossl_store interface (e.g. from HSM) --privkey-openssl-engine[:] ;[,[,[...]]] load private key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key --pubkey-pem[:] load public key from PEM file --pubkey-der[:] load public key from DER file --pubkey-openssl-store[:] load pubkey key and certs through OpenSSL ossl_store interface (e.g. from HSM) --pubkey-openssl-engine[:] ;[,[,[...]]] load public key by OpenSSL ENGINE interface; specify the name of engine (like with -engine params), the key specs (like with -inkey or -key params) and optionally certificates that verify this key --pwd the password to use for reading keys and certs --lax-key-search enable lax key search (e.g. by key type like "rsa") vs default strict key search mode using only information from node (e.g. key name) --verify-keys force verification of public/private keys loaded from the command: keys are required to have a key certificate that will be verified against the certificates in the key store --aes-key[:] load AES key from binary file --concatkdf-key[:] load ConcatKDF key from binary file --des-key[:] load DES key from binary file --hmac-key[:] load HMAC key from binary file --pbkdf2-key[:] load Pbkdf2 key from binary file --pkcs12[:] load load private key from pkcs12 file --pkcs12-persist persist loaded private key --pubkey-cert-pem[:] load public key from PEM cert file --pubkey-cert-der[:] load public key from DER cert file --trusted-pem load trusted (root) certificate from PEM file --untrusted-pem load untrusted certificate from PEM file --trusted-der load trusted (root) certificate from DER file --untrusted-der load untrusted certificate from DER file --crl-pem load CRLs from PEM file --crl-der load CRLs from DER file --verification-time