Lines Matching +full:input +full:- +full:value

2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-pkeyutl - public key algorithm command
11 [B<-help>]
12 [B<-in> I<file>]
13 [B<-rawin>]
14 [B<-digest> I<algorithm>]
15 [B<-out> I<file>]
16 [B<-sigfile> I<file>]
17 [B<-inkey> I<filename>|I<uri>]
18 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
19 [B<-passin> I<arg>]
20 [B<-peerkey> I<file>]
21 [B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
22 [B<-pubin>]
23 [B<-certin>]
24 [B<-rev>]
25 [B<-sign>]
26 [B<-verify>]
27 [B<-verifyrecover>]
28 [B<-encrypt>]
29 [B<-decrypt>]
30 [B<-derive>]
31 [B<-kdf> I<algorithm>]
32 [B<-kdflen> I<length>]
33 [B<-pkeyopt> I<opt>:I<value>]
34 [B<-pkeyopt_passin> I<opt>[:I<passarg>]]
35 [B<-hexdump>]
36 [B<-asn1parse>]
37 {- $OpenSSL::safe::opt_engine_synopsis -}[B<-engine_impl>]
38 {- $OpenSSL::safe::opt_r_synopsis -}
39 {- $OpenSSL::safe::opt_provider_synopsis -}
40 {- $OpenSSL::safe::opt_config_synopsis -}
44 This command can be used to perform low-level public key
51 =item B<-help>
55 =item B<-in> I<filename>
57 This specifies the input filename to read data from or standard input
60 =item B<-rawin>
62 This indicates that the input data is raw data, which is not hashed by any
64 the B<-digest> option. This option can only be used with B<-sign> and
65 B<-verify> and must be used with the Ed25519 and Ed448 algorithms.
67 =item B<-digest> I<algorithm>
69 This specifies the digest algorithm which is used to hash the input data before
70 signing or verifying it with the input key. This option could be omitted if the
72 is omitted but the signature algorithm requires one, a default value will be
73 used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
75 then the B<-rawin> option must be also specified.
77 =item B<-out> I<filename>
82 =item B<-sigfile> I<file>
84 Signature file, required for B<-verify> operations only
86 =item B<-inkey> I<filename>|I<uri>
88 The input key, by default it should be a private key.
90 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
93 See L<openssl-format-options(1)> for details.
95 =item B<-passin> I<arg>
97 The input key password source. For more information about the format of I<arg>
98 see L<openssl-passphrase-options(1)>.
100 =item B<-peerkey> I<file>
104 =item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
107 See L<openssl-format-options(1)> for details.
109 =item B<-pubin>
111 The input file is a public key.
113 =item B<-certin>
115 The input is a certificate containing a public key.
117 =item B<-rev>
119 Reverse the order of the input buffer. This is useful for some libraries
122 =item B<-sign>
124 Sign the input data (which must be a hash) and output the signed result. This
127 =item B<-verify>
129 Verify the input data (which must be a hash) against the signature file and
132 =item B<-verifyrecover>
134 Verify the input data (which must be a hash) and output the recovered data.
136 =item B<-encrypt>
138 Encrypt the input data using a public key.
140 =item B<-decrypt>
142 Decrypt the input data using a private key.
144 =item B<-derive>
148 =item B<-kdf> I<algorithm>
151 at present B<TLS1-PRF> and B<HKDF>.
157 =item B<-kdflen> I<length>
161 =item B<-pkeyopt> I<opt>:I<value>
163 Public key options specified as opt:value. See NOTES below for more details.
165 =item B<-pkeyopt_passin> I<opt>[:I<passarg>]
169 stdin.  Alternatively, I<passarg> can be specified which can be any value
170 supported by L<openssl-passphrase-options(1)>.
172 =item B<-hexdump>
176 =item B<-asn1parse>
179 B<-verifyrecover> option when an ASN1 structure is signed.
181 {- $OpenSSL::safe::opt_engine_item -}
183 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
184 =item B<-engine_impl>
186 When used with the B<-engine> option, it specifies to also use
188 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
190 {- $OpenSSL::safe::opt_r_item -}
192 {- $OpenSSL::safe::opt_provider_item -}
194 {- $OpenSSL::safe::opt_config_item -}
205 The value I<alg> should represent a digest name as used in the
206 EVP_get_digestbyname() function for example B<sha1>. This value is not used to
207 hash the input data. It is used (by some algorithms) for sanity-checking the
211 This command does not hash the input data (except where -rawin is used) but
212 rather it will use the data directly as input to the signature algorithm.
214 acceptable lengths of input data differ. The signed data can't be longer than
217 In any event the input size must not be larger than the largest supported digest
220 In other words, if the value of digest is B<sha1> the input should be the 20
221 bytes long binary encoding of the SHA-1 hash function output.
256 B<max> sets the salt length to the maximum permissible value. When verifying
272 =head1 RSA-PSS ALGORITHM
274 The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
276 additional B<-pkeyopt> values are supported:
285 default value.
290 value less than the minimum restriction.
297 there are no additional B<-pkeyopt> options other than B<digest>. The SHA1
303 B<-pkeyopt> options.
309 the B<-pkeyopt> B<digest> option.
320 without hashing them first. The option B<-rawin> must be used with these
321 algorithms with no B<-digest> specified. Additionally OpenSSL only supports
326 (for example if the input is stdin) then the sign or verify operation will fail.
332 be passed in. The following B<-pkeyopt> value is supported:
347 should be a valid hexadecimal value.
355  openssl pkeyutl -sign -in file -inkey key.pem -out sig
359  openssl pkeyutl -verifyrecover -in sig -inkey key.pem
363  openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem
365 Sign data using a message digest value (this is currently only valid for RSA):
367  openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256
369 Derive a shared secret value:
371  openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret
376  openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
377     -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
381  openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass \
382     -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
386  openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass:env:MYPASS \
387     -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
391  openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
392     -pkeyopt distid:someid
396  openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
397     -rawin -digest sm3 -pkeyopt distid:someid
401  openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
402     -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
407 L<openssl-genpkey(1)>,
408 L<openssl-pkey(1)>,
409 L<openssl-rsautl(1)>
410 L<openssl-dgst(1)>,
411 L<openssl-rsa(1)>,
412 L<openssl-genrsa(1)>,
413 L<openssl-kdf(1)>
419 The B<-engine> option was deprecated in OpenSSL 3.0.
423 Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.