openssl-pkeyutl.pod.in - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man1/openssl-pkeyutl.pod.in

Lines Matching +full:data +full:- +full:only
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-pkeyutl - public key algorithm command
11 [B<-help>]
12 [B<-in> I<file>]
13 [B<-rawin>]
14 [B<-digest> I<algorithm>]
15 [B<-out> I<file>]
16 [B<-sigfile> I<file>]
17 [B<-inkey> I<filename>|I<uri>]
18 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
19 [B<-passin> I<arg>]
20 [B<-peerkey> I<file>]
21 [B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
22 [B<-pubin>]
23 [B<-certin>]
24 [B<-rev>]
25 [B<-sign>]
26 [B<-verify>]
27 [B<-verifyrecover>]
28 [B<-encrypt>]
29 [B<-decrypt>]
30 [B<-derive>]
31 [B<-kdf> I<algorithm>]
32 [B<-kdflen> I<length>]
33 [B<-pkeyopt> I<opt>:I<value>]
34 [B<-pkeyopt_passin> I<opt>[:I<passarg>]]
35 [B<-hexdump>]
36 [B<-asn1parse>]
37 {- $OpenSSL::safe::opt_engine_synopsis -}[B<-engine_impl>]
38 {- $OpenSSL::safe::opt_r_synopsis -}
39 {- $OpenSSL::safe::opt_provider_synopsis -}
40 {- $OpenSSL::safe::opt_config_synopsis -}
44 This command can be used to perform low-level public key
51 =item B<-help>
55 =item B<-in> I<filename>
57 This specifies the input filename to read data from or standard input
60 =item B<-rawin>
62 This indicates that the input data is raw data, which is not hashed by any
64 the B<-digest> option. This option can only be used with B<-sign> and
65 B<-verify> and must be used with the Ed25519 and Ed448 algorithms.
67 =item B<-digest> I<algorithm>
69 This specifies the digest algorithm which is used to hash the input data before
73 used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
75 then the B<-rawin> option must be also specified.
77 =item B<-out> I<filename>
82 =item B<-sigfile> I<file>
84 Signature file, required for B<-verify> operations only
86 =item B<-inkey> I<filename>|I<uri>
90 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
93 See L<openssl-format-options(1)> for details.
95 =item B<-passin> I<arg>
98 see L<openssl-passphrase-options(1)>.
100 =item B<-peerkey> I<file>
104 =item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
107 See L<openssl-format-options(1)> for details.
109 =item B<-pubin>
113 =item B<-certin>
117 =item B<-rev>
122 =item B<-sign>
124 Sign the input data (which must be a hash) and output the signed result. This
127 =item B<-verify>
129 Verify the input data (which must be a hash) against the signature file and
132 =item B<-verifyrecover>
134 Verify the input data (which must be a hash) and output the recovered data.
136 =item B<-encrypt>
138 Encrypt the input data using a public key.
140 =item B<-decrypt>
142 Decrypt the input data using a private key.
144 =item B<-derive>
148 =item B<-kdf> I<algorithm>
151 at present B<TLS1-PRF> and B<HKDF>.
157 =item B<-kdflen> I<length>
161 =item B<-pkeyopt> I<opt>:I<value>
165 =item B<-pkeyopt_passin> I<opt>[:I<passarg>]
168 If only I<opt> is specified, the user will be prompted to enter a password on
170 supported by L<openssl-passphrase-options(1)>.
172 =item B<-hexdump>
174 hex dump the output data.
176 =item B<-asn1parse>
178 Parse the ASN.1 output data, this is useful when combined with the
179 B<-verifyrecover> option when an ASN1 structure is signed.
181 {- $OpenSSL::safe::opt_engine_item -}
183 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
184 =item B<-engine_impl>
186 When used with the B<-engine> option, it specifies to also use
188 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
190 {- $OpenSSL::safe::opt_r_item -}
192 {- $OpenSSL::safe::opt_provider_item -}
194 {- $OpenSSL::safe::opt_config_item -}
207 hash the input data. It is used (by some algorithms) for sanity-checking the
208 lengths of data passed in and for creating the structures that make up the
211 This command does not hash the input data (except where -rawin is used) but
212 rather it will use the data directly as input to the signature algorithm.
214 acceptable lengths of input data differ. The signed data can't be longer than
215 the key modulus with RSA. In case of ECDSA and DSA the data shouldn't be longer
221 bytes long binary encoding of the SHA-1 hash function output.
227 support only a subset of these operations. The following additional
238 In PKCS#1 padding, if the message digest is not set, then the supplied data is
243 For B<oaep> mode only encryption and decryption is supported.
245 For B<x931> if the digest type is set it is used to format the block data
249 For B<pss> mode only sign and verify are supported and the digest type must be
254 For B<pss> mode only this option specifies the salt length. Three special
272 =head1 RSA-PSS ALGORITHM
274 The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
276 additional B<-pkeyopt> values are supported:
284 restrictions. The padding mode can only be set to B<pss> which is the
296 The DSA algorithm supports signing and verification operations only. Currently
297 there are no additional B<-pkeyopt> options other than B<digest>. The SHA1
302 The DH algorithm only supports the derivation operation and no additional
303 B<-pkeyopt> options.
309 the B<-pkeyopt> B<digest> option.
313 The X25519 and X448 algorithms support key derivation only. Currently there are
318 These algorithms only support signing and verifying. OpenSSL only implements the
319 "pure" variants of these algorithms so raw data can be passed directly to them
320 without hashing them first. The option B<-rawin> must be used with these
321 algorithms with no B<-digest> specified. Additionally OpenSSL only supports
332 be passed in. The following B<-pkeyopt> value is supported:
339 an SM2 signature, the ID string must be the same one used when signing the data.
345 an SM2 signature, the ID string must be the same one used when signing the data.
353 Sign some data using a private key:
355  openssl pkeyutl -sign -in file -inkey key.pem -out sig
357 Recover the signed data (e.g. if an RSA key is used):
359  openssl pkeyutl -verifyrecover -in sig -inkey key.pem
363  openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
365 Sign data using a message digest value (this is currently only valid for RSA):
367  openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256
371  openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret
376  openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
377     -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
381  openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass \
382     -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
386  openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass:env:MYPASS \
387     -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
389 Sign some data using an L<SM2(7)> private key and a specific ID:
391  openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
392     -pkeyopt distid:someid
394 Verify some data using an L<SM2(7)> certificate and a specific ID:
396  openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
397     -rawin -digest sm3 -pkeyopt distid:someid
399 Decrypt some data using a private key with OAEP padding using SHA256:
401  openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
402     -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
407 L<openssl-genpkey(1)>,
408 L<openssl-pkey(1)>,
409 L<openssl-rsautl(1)>
410 L<openssl-dgst(1)>,
411 L<openssl-rsa(1)>,
412 L<openssl-genrsa(1)>,
413 L<openssl-kdf(1)>
419 The B<-engine> option was deprecated in OpenSSL 3.0.
423 Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.