pkeyutl.1s
Perform cryptographic operations with public/private keys
SYNOPSIS
openssl pkeyutl [-help] [-in filename] [-out filename] [-sigfile filename] [-inkey filename] [-passin arg] [-keyform arg] [-pubin] [-certin] [-pkcs8] [-topk8] [-noout] [-engine id] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-propquery propq] [-encrypt] [-decrypt] [-sign] [-verify] [-verifyrecover] [-derive] [-shared_secret] [-pkeyopt parameter:value] [-rev] [-asn1parse] [-hexdump]
PARAMETERS
-help
Display a brief summary of command options.
-in filename
Input file containing the data to be processed.
-out filename
Output file to write the processed data.
-sigfile filename
Signature file for verification.
-inkey filename
Input file containing the private key.
-passin arg
Input password source.
-keyform arg
Private key format (PEM, DER, etc.).
-pubin
Input file contains a public key, not a private key.
-certin
Input file contains a certificate.
-pkcs8
The input is in PKCS#8 format.
-topk8
The input is converted to PKCS#8 format.
-noout
No output is produced.
-engine id
Specifies the engine to use.
-rand files
Specifies one or more source(s) of random bytes.
-writerand file
Writes random data to a file.
-provider name
The provider to load.
-provider-path path
A path to search for providers.
-propquery propq
A property query string.
-encrypt
Encrypt the input data.
-decrypt
Decrypt the input data.
-sign
Sign the input data.
-verify
Verify the signature of the input data.
-verifyrecover
Verify and recover the original data.
-derive
Perform key derivation.
-shared_secret
Output the shared secret.
-pkeyopt parameter:value
Set public key algorithm options.
-rev
Reverse the input data.
-asn1parse
Parse input ASN.1 data and print a human readable form.
-hexdump
Hex dump the output data.
DESCRIPTION
The pkeyutl command is a versatile utility within the OpenSSL toolkit that performs a variety of public key operations.
It allows you to perform various operations using public and private keys, such as encryption, decryption, signing, verification, key derivation, and more. pkeyutl is particularly useful for testing cryptographic algorithms, experimenting with different key parameters, and performing specific low-level operations. It provides a command-line interface to access and manipulate cryptographic keys in different formats. By using options, you can specify the input key, the operation to perform, and the output format.
The command can be used with both RSA and ECC keys and it provides fine-grained control over the cryptographic processes. Due to its complexity, its direct use in production system is less common than higher-level wrappers or dedicated cryptographic libraries.
CAVEATS
Using pkeyutl requires a good understanding of cryptographic algorithms and key formats. Incorrect usage can lead to security vulnerabilities. Be sure to understand the parameters you're setting.
EXAMPLES
Encrypting data:
openssl pkeyutl -encrypt -in data.txt -inkey pubkey.pem -pubin -out enc.txt
Decrypting data:
openssl pkeyutl -decrypt -in enc.txt -inkey privkey.pem -out data.txt
Signing data:
openssl pkeyutl -sign -in data.txt -inkey privkey.pem -out sig.txt
Verifying data:
openssl pkeyutl -verify -in data.txt -sigfile sig.txt -inkey pubkey.pem -pubin
SEE ALSO
openssl(1), rsa(1), ec(1)