Lines Matching +full:dsa +full:- +full:specific

1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-PKEYUTL 1ossl"
58 .TH OPENSSL-PKEYUTL 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-pkeyutl \- asymmetric key command
68 [\fB\-help\fR]
69 [\fB\-in\fR \fIfile\fR]
70 [\fB\-rawin\fR]
71 [\fB\-digest\fR \fIalgorithm\fR]
72 [\fB\-out\fR \fIfile\fR]
73 [\fB\-secret\fR \fIfile\fR]
74 [\fB\-sigfile\fR \fIfile\fR]
75 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
76 [\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
77 [\fB\-passin\fR \fIarg\fR]
78 [\fB\-pubin\fR]
79 [\fB\-certin\fR]
80 [\fB\-rev\fR]
81 [\fB\-sign\fR]
82 [\fB\-verify\fR]
83 [\fB\-verifyrecover\fR]
84 [\fB\-encrypt\fR]
85 [\fB\-decrypt\fR]
86 [\fB\-derive\fR]
87 [\fB\-peerkey\fR \fIfile\fR]
88 [\fB\-peerform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
89 [\fB\-encap\fR]
90 [\fB\-decap\fR]
91 [\fB\-kdf\fR \fIalgorithm\fR]
92 [\fB\-kdflen\fR \fIlength\fR]
93 [\fB\-kemop\fR \fImode\fR]
94 [\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
95 [\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]]
96 [\fB\-hexdump\fR]
97 [\fB\-asn1parse\fR]
98 [\fB\-engine\fR \fIid\fR]
99 [\fB\-engine_impl\fR]
100 [\fB\-rand\fR \fIfiles\fR]
101 [\fB\-writerand\fR \fIfile\fR]
102 [\fB\-provider\fR \fIname\fR]
103 [\fB\-provider\-path\fR \fIpath\fR]
104 [\fB\-provparam\fR \fI[name:]key=value\fR]
105 [\fB\-propquery\fR \fIpropq\fR]
106 [\fB\-config\fR \fIconfigfile\fR]
109 This command can be used to perform low-level operations
112 By default the signing operation (see \fB\-sign\fR option) is assumed.
115 .IP \fB\-help\fR 4
116 .IX Item "-help"
118 .IP "\fB\-in\fR \fIfilename\fR" 4
119 .IX Item "-in filename"
122 .IP \fB\-rawin\fR 4
123 .IX Item "-rawin"
127 the user can specify a digest algorithm by using the \fB\-digest\fR option.
128 For signature algorithms like RSA, DSA and ECDSA,
131 This option can only be used with \fB\-sign\fR and \fB\-verify\fR.
135 The \fB\-digest\fR option implies \fB\-rawin\fR since OpenSSL 3.5.
136 .IP "\fB\-digest\fR \fIalgorithm\fR" 4
137 .IX Item "-digest algorithm"
138 This option can only be used with \fB\-sign\fR and \fB\-verify\fR.
143 is omitted but the signature algorithm requires one and the \fB\-rawin\fR option
144 is given, a default value will be used (see \fB\-rawin\fR for details).
145 If this option is present, then the \fB\-rawin\fR option
149 so the \fB\-digest\fR option cannot be used with EdDSA.
150 .IP "\fB\-out\fR \fIfilename\fR" 4
151 .IX Item "-out filename"
153 .IP "\fB\-secret\fR \fIfilename\fR" 4
154 .IX Item "-secret filename"
155 Specifies the shared-secret output filename for when performing encapsulation
156 via the \fB\-encap\fR option or decapsulation via the \fB\-decap\fR option.
157 The \fB\-encap\fR option also produces a separate (public) ciphertext output which
158 is by default written to standard output, but being \fIbinary\fR non-text data,
159 is typically also redirected to a file selected via the \fI\-out\fR option.
160 .IP "\fB\-sigfile\fR \fIfile\fR" 4
161 .IX Item "-sigfile file"
162 Signature file, required and allowed for \fB\-verify\fR operations only.
163 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
164 .IX Item "-inkey filename|uri"
166 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
167 .IX Item "-keyform DER|PEM|P12|ENGINE"
169 See \fBopenssl\-format\-options\fR\|(1) for details.
170 .IP "\fB\-passin\fR \fIarg\fR" 4
171 .IX Item "-passin arg"
173 see \fBopenssl\-passphrase\-options\fR\|(1).
174 .IP \fB\-pubin\fR 4
175 .IX Item "-pubin"
179 .IP \fB\-certin\fR 4
180 .IX Item "-certin"
182 .IP \fB\-rev\fR 4
183 .IX Item "-rev"
185 (such as CryptoAPI) which represent the buffer in little-endian format.
186 This cannot be used in conjunction with \fB\-rawin\fR.
187 .IP \fB\-sign\fR 4
188 .IX Item "-sign"
191 when applicable, see the \fB\-rawin\fR and \fB\-digest\fR options for details.
192 Otherwise, the input data given with the \fB\-in\fR option is assumed to already
193 be a digest, but this may then require an additional \fB\-pkeyopt\fR \f(CW\*(C`digest:\*(C'\fR\fImd…
195 Even for other algorithms like ECDSA, where the additional \fB\-pkeyopt\fR option
198 .IP \fB\-verify\fR 4
199 .IX Item "-verify"
200 Verify the input data against the signature given with the \fB\-sigfile\fR option
202 The input data given with the \fB\-in\fR option is assumed to be a hash value
203 unless the \fB\-rawin\fR option is specified or implied.
206 .IP \fB\-verifyrecover\fR 4
207 .IX Item "-verifyrecover"
209 For example, in case of RSA PKCS#1 the recovered data is the \fBEMSA\-PKCS\-v1_5\fR
211 RFC8017 Section 9.2 <https://datatracker.ietf.org/doc/html/rfc8017#section-9.2>.
213 Note that here the input given with the \fB\-in\fR option is not a signature input
214 (as with the \fB\-sign\fR and \fB\-verify\fR options) but a signature output value,
215 typically produced using the \fB\-sign\fR option.
218 .IP \fB\-encrypt\fR 4
219 .IX Item "-encrypt"
221 .IP \fB\-decrypt\fR 4
222 .IX Item "-decrypt"
224 .IP \fB\-derive\fR 4
225 .IX Item "-derive"
227 .IP "\fB\-peerkey\fR \fIfile\fR" 4
228 .IX Item "-peerkey file"
231 Its type must match the type of the own private key given with \fB\-inkey\fR.
232 .IP "\fB\-peerform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
233 .IX Item "-peerform DER|PEM|P12|ENGINE"
235 See \fBopenssl\-format\-options\fR\|(1) for details.
236 .IP \fB\-encap\fR 4
237 .IX Item "-encap"
238 Use a Key Encapsulation Mechanism (\fBKEM\fR) to \fBencapsulate\fR a shared-secret to
240 The encapsulated result (or ciphertext, non-text binary data) is written to
241 standard output by default, or else to the file specified with \fI\-out\fR.
242 The \fI\-secret\fR option must also be provided to specify the output file for the
243 derived shared-secret value generated in the encapsulation process.
245 ML-KEM,
251 RFC9180 <https://www.rfc-editor.org/rfc/rfc9180> DHKEM construction.
256 hybrid ECDHE (no DHKEM) plus \fBML-KEM\fR algorithms, but these are intended
260 .IP \fB\-decap\fR 4
261 .IX Item "-decap"
262 Decode an encapsulated secret, with the use of a \fB\-private\fR key, to derive the
263 same shared-secret as that obtained when the secret was encapsulated to the
266 from the file specified with \fB\-in\fR.
267 The derived shared-secret is written to the file specified with the \fB\-secret\fR
270 ML-KEM,
276 RFC9180 <https://www.rfc-editor.org/rfc/rfc9180> DHKEM construction.
279 .IP "\fB\-kemop\fR \fImode\fR" 4
280 .IX Item "-kemop mode"
281 This option is used with the \fI\-encap\fR/\fI\-decap\fR commands and specifies the KEM
282 \&\fImode\fR specific for the key algorithm when there is no default way to
286 .IP "\fB\-kdf\fR \fIalgorithm\fR" 4
287 .IX Item "-kdf algorithm"
289 at present \fBTLS1\-PRF\fR and \fBHKDF\fR.
294 .IP "\fB\-kdflen\fR \fIlength\fR" 4
295 .IX Item "-kdflen length"
297 .IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
298 .IX Item "-pkeyopt opt:value"
300 .IP "\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]" 4
301 .IX Item "-pkeyopt_passin opt[:passarg]"
305 supported by \fBopenssl\-passphrase\-options\fR\|(1).
306 .IP \fB\-hexdump\fR 4
307 .IX Item "-hexdump"
309 .IP \fB\-asn1parse\fR 4
310 .IX Item "-asn1parse"
312 When combined with the \fB\-verifyrecover\fR option, this may be useful in case
313 an ASN.1 DER-encoded structure had been signed directly (without hashing it)
315 .IP "\fB\-engine\fR \fIid\fR" 4
316 .IX Item "-engine id"
319 .IP \fB\-engine_impl\fR 4
320 .IX Item "-engine_impl"
321 When used with the \fB\-engine\fR option, it specifies to also use
323 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
324 .IX Item "-rand files, -writerand file"
326 .IP "\fB\-provider\fR \fIname\fR" 4
327 .IX Item "-provider name"
329 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
330 .IX Item "-provider-path path"
331 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
332 .IX Item "-provparam [name:]key=value"
333 .IP "\fB\-propquery\fR \fIpropq\fR" 4
334 .IX Item "-propquery propq"
337 .IP "\fB\-config\fR \fIconfigfile\fR" 4
338 .IX Item "-config configfile"
345 Unless otherwise mentioned, the \fB\-pkeyopt\fR option supports
346 for all public-key types the \f(CW\*(C`digest:\*(C'\fR\fIalg\fR argument,
350 hash the input data. It is used (by some algorithms) for sanity-checking the
355 if the value of the \fB\-pkeyopt\fR option \f(CW\*(C`digest\*(C'\fR argument is \fBsha256\fR,
359 Unless \fB\-rawin\fR is used or implied, this command does not hash the input data
363 than the key modulus. In case of ECDSA and DSA the data should not be longer
420 errors in a side-channel free manner.
421 .SH "RSA-PSS ALGORITHM"
422 .IX Header "RSA-PSS ALGORITHM"
423 The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
425 additional \fB\-pkeyopt\fR values are supported:
436 .SH "DSA ALGORITHM"
437 .IX Header "DSA ALGORITHM"
438 The DSA algorithm supports signing and verification operations only. Currently
439 there are no additional \fB\-pkeyopt\fR options other than \fBdigest\fR. The SHA256
444 \&\fB\-pkeyopt\fR options.
449 for the \fB\-pkeyopt\fR \fBdigest\fR option.
454 .SS "SLH-DSA ALGORITHMS"
455 .IX Subsection "SLH-DSA ALGORITHMS"
456-DSA algorithms (SLH\-DSA\-SHA2\-128s, SLH\-DSA\-SHA2\-128f, SLH\-DSA\-SHA2\-192s, SLH\-DSA\-SHA2\
457 .IP \fB\-sign\fR 4
458 .IX Item "-sign"
459 Sign the input data using an SLH-DSA private key. For example:
462 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey slhdsa.pem \-out sig
464 .IP \fB\-verify\fR 4
465 .IX Item "-verify"
466 Verify the signature using an SLH-DSA public key. For example:
469 \&  $ openssl pkeyutl \-verify \-in file.txt \-inkey slhdsa.pem \-sigfile sig
472 See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) and \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7) for additional details abo…
473 .SH "ML\-DSA\-44, ML\-DSA\-65 AND ML\-DSA\-87 ALGORITHMS"
474 .IX Header "ML-DSA-44, ML-DSA-65 AND ML-DSA-87 ALGORITHMS"
475 The ML-DSA algorithms are post-quantum signature algorithms that support signing and verification o…
476 No preliminary hashing is performed. When using ML-DSA with pkeyutl, the following options are avai…
477 .IP \fB\-sign\fR 4
478 .IX Item "-sign"
479 Sign the input data using an ML-DSA private key. For example:
482 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig
484 .IP \fB\-verify\fR 4
485 .IX Item "-verify"
486 Verify the signature using an ML-DSA public key. For example:
489 \&  $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig
491 .IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
492 .IX Item "-pkeyopt opt:value"
493 Additional options for ML-DSA signing and verification:
495 .IP \fBmessage-encoding\fR:\fIvalue\fR 4
496 .IX Item "message-encoding:value"
497 …rocessed before signing. Valid values are described in \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7). For exam…
500 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt message\-encodin…
502 .IP \fBtest-entropy\fR:\fIvalue\fR 4
503 .IX Item "test-entropy:value"
507 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt test\-entropy:ab…
509 .IP \fBhextest-entropy\fR:\fIvalue\fR 4
510 .IX Item "hextest-entropy:value"
514 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt hextest\-entropy…
521 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt deterministic:1
528 \&  $ echo \-n "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" >file.txt
529 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt mu:1
534 .IP \fBcontext-string\fR:\fIstring\fR 4
535 .IX Item "context-string:string"
539 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt context\-string:…
540 \&  $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig \-pkeyopt context\-s…
542 .IP \fBhexcontext-string\fR:\fIstring\fR 4
543 .IX Item "hexcontext-string:string"
547 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt hexcontext\-stri…
555 entropy value via the \fBhextest-entropy\fR:\fIvalue\fR parameter.
556 Deterministic \fBML-DSA\fR signing should only be used in tests.
558 See \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7) for additional details about the ML-DSA algorithms and their …
559 .SH "ML\-KEM\-512, ML\-KEM\-768 AND ML\-KEM\-1024 ALGORITHMS"
560 .IX Header "ML-KEM-512, ML-KEM-768 AND ML-KEM-1024 ALGORITHMS"
561 The ML-KEM algorithms support encapsulation and decapsulation only.
563 with \fIentropy\fR the 64 hexadecimal digit encoding of a 32\-byte value.
567 See \fBEVP_KEM\-ML\-KEM\fR\|(7) for additional detail.
582 be passed in. The following \fB\-pkeyopt\fR value is supported:
599 \& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig
605 \& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem
608 Verify the signature (e.g. a DSA key):
611 \& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem
617 \& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256
623 \& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret
630 \& openssl pkeyutl \-kdf TLS1\-PRF \-kdflen 48 \-pkeyopt md:SHA256 \e
631 \&    \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump
637 \& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass \e
638 \&    \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
644 \& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass:env:MYPASS \e
645 \&    \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
648 Sign some data using an \fBSM2\fR\|(7) private key and a specific ID:
651 \& openssl pkeyutl \-sign \-in file \-inkey sm2.key \-out sig \-rawin \-digest sm3 \e
652 \&    \-pkeyopt distid:someid
655 Verify some data using an \fBSM2\fR\|(7) certificate and a specific ID:
658 \& openssl pkeyutl \-verify \-certin \-in file \-inkey sm2.cert \-sigfile sig \e
659 \&    \-rawin \-digest sm3 \-pkeyopt distid:someid
665 \& openssl pkeyutl \-decrypt \-in file \-inkey key.pem \-out secret \e
666 \&    \-pkeyopt rsa_padding_mode:oaep \-pkeyopt rsa_oaep_md:sha256
669 Create an ML-DSA key pair and sign data with a specific context string:
672 \&  $ openssl genpkey \-algorithm ML\-DSA\-65 \-out mldsa65.pem
673 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt context\-string:…
676 Verify a signature using ML-DSA with the same context string:
679 \&  $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig \-pkeyopt context\-s…
682 Generate an ML-KEM key pair and use it for encapsulation:
685 \&  $ openssl genpkey \-algorithm ML\-KEM\-768 \-out mlkem768.pem
686 \&  $ openssl pkey \-in mlkem768.pem \-pubout \-out mlkem768_pub.pem
687 \&  $ openssl pkeyutl \-encap \-inkey mlkem768_pub.pem \-pubin \-out ciphertext \-secret shared_sec…
690 Decapsulate a shared secret using an ML-KEM private key:
693 \&  $ openssl pkeyutl \-decap \-inkey mlkem768.pem \-in ciphertext \-secret decapsulated_secret.bin
696 Create an SLH-DSA key pair and sign data:
699 \&  $ openssl genpkey \-algorithm SLH\-DSA\-SHA2\-128s \-out slh\-dsa.pem
700 \&  $ openssl pkeyutl \-sign \-in file.txt \-inkey slh\-dsa.pem \-out sig
703 Verify a signature using SLH-DSA:
706 \&  $ openssl pkeyutl \-verify \-in file.txt \-inkey slh\-dsa.pem \-sigfile sig
711 \&\fBopenssl\-genpkey\fR\|(1),
712 \&\fBopenssl\-pkey\fR\|(1),
713 \&\fBopenssl\-rsautl\fR\|(1)
714 \&\fBopenssl\-dgst\fR\|(1),
715 \&\fBopenssl\-rsa\fR\|(1),
716 \&\fBopenssl\-genrsa\fR\|(1),
717 \&\fBopenssl\-kdf\fR\|(1)
723 the \fB\-digest\fR option implies \fB\-rawin\fR, and these two options are
726 Also since OpenSSL 3.5, the \fB\-kemop\fR option is no longer required for any of
729 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
732 Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.