1*66bae5e7Schristos=pod 2*66bae5e7Schristos{- OpenSSL::safe::output_do_not_edit_headers(); -} 3*66bae5e7Schristos 4*66bae5e7Schristos=head1 NAME 5*66bae5e7Schristos 6*66bae5e7Schristosopenssl-pkeyutl - public key algorithm command 7*66bae5e7Schristos 8*66bae5e7Schristos=head1 SYNOPSIS 9*66bae5e7Schristos 10*66bae5e7SchristosB<openssl> B<pkeyutl> 11*66bae5e7Schristos[B<-help>] 12*66bae5e7Schristos[B<-in> I<file>] 13*66bae5e7Schristos[B<-rawin>] 14*66bae5e7Schristos[B<-digest> I<algorithm>] 15*66bae5e7Schristos[B<-out> I<file>] 16*66bae5e7Schristos[B<-sigfile> I<file>] 17*66bae5e7Schristos[B<-inkey> I<filename>|I<uri>] 18*66bae5e7Schristos[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 19*66bae5e7Schristos[B<-passin> I<arg>] 20*66bae5e7Schristos[B<-peerkey> I<file>] 21*66bae5e7Schristos[B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 22*66bae5e7Schristos[B<-pubin>] 23*66bae5e7Schristos[B<-certin>] 24*66bae5e7Schristos[B<-rev>] 25*66bae5e7Schristos[B<-sign>] 26*66bae5e7Schristos[B<-verify>] 27*66bae5e7Schristos[B<-verifyrecover>] 28*66bae5e7Schristos[B<-encrypt>] 29*66bae5e7Schristos[B<-decrypt>] 30*66bae5e7Schristos[B<-derive>] 31*66bae5e7Schristos[B<-kdf> I<algorithm>] 32*66bae5e7Schristos[B<-kdflen> I<length>] 33*66bae5e7Schristos[B<-pkeyopt> I<opt>:I<value>] 34*66bae5e7Schristos[B<-pkeyopt_passin> I<opt>[:I<passarg>]] 35*66bae5e7Schristos[B<-hexdump>] 36*66bae5e7Schristos[B<-asn1parse>] 37*66bae5e7Schristos{- $OpenSSL::safe::opt_engine_synopsis -}[B<-engine_impl>] 38*66bae5e7Schristos{- $OpenSSL::safe::opt_r_synopsis -} 39*66bae5e7Schristos{- $OpenSSL::safe::opt_provider_synopsis -} 40*66bae5e7Schristos{- $OpenSSL::safe::opt_config_synopsis -} 41*66bae5e7Schristos 42*66bae5e7Schristos=head1 DESCRIPTION 43*66bae5e7Schristos 44*66bae5e7SchristosThis command can be used to perform low-level public key 45*66bae5e7Schristosoperations using any supported algorithm. 46*66bae5e7Schristos 47*66bae5e7Schristos=head1 OPTIONS 48*66bae5e7Schristos 49*66bae5e7Schristos=over 4 50*66bae5e7Schristos 51*66bae5e7Schristos=item B<-help> 52*66bae5e7Schristos 53*66bae5e7SchristosPrint out a usage message. 54*66bae5e7Schristos 55*66bae5e7Schristos=item B<-in> I<filename> 56*66bae5e7Schristos 57*66bae5e7SchristosThis specifies the input filename to read data from or standard input 58*66bae5e7Schristosif this option is not specified. 59*66bae5e7Schristos 60*66bae5e7Schristos=item B<-rawin> 61*66bae5e7Schristos 62*66bae5e7SchristosThis indicates that the input data is raw data, which is not hashed by any 63*66bae5e7Schristosmessage digest algorithm. The user can specify a digest algorithm by using 64*66bae5e7Schristosthe B<-digest> option. This option can only be used with B<-sign> and 65*66bae5e7SchristosB<-verify> and must be used with the Ed25519 and Ed448 algorithms. 66*66bae5e7Schristos 67*66bae5e7Schristos=item B<-digest> I<algorithm> 68*66bae5e7Schristos 69*66bae5e7SchristosThis specifies the digest algorithm which is used to hash the input data before 70*66bae5e7Schristossigning or verifying it with the input key. This option could be omitted if the 71*66bae5e7Schristossignature algorithm does not require one (for instance, EdDSA). If this option 72*66bae5e7Schristosis omitted but the signature algorithm requires one, a default value will be 73*66bae5e7Schristosused. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the 74*66bae5e7Schristosdefault digest algorithm. For SM2, it will be SM3. If this option is present, 75*66bae5e7Schristosthen the B<-rawin> option must be also specified. 76*66bae5e7Schristos 77*66bae5e7Schristos=item B<-out> I<filename> 78*66bae5e7Schristos 79*66bae5e7SchristosSpecifies the output filename to write to or standard output by 80*66bae5e7Schristosdefault. 81*66bae5e7Schristos 82*66bae5e7Schristos=item B<-sigfile> I<file> 83*66bae5e7Schristos 84*66bae5e7SchristosSignature file, required for B<-verify> operations only 85*66bae5e7Schristos 86*66bae5e7Schristos=item B<-inkey> I<filename>|I<uri> 87*66bae5e7Schristos 88*66bae5e7SchristosThe input key, by default it should be a private key. 89*66bae5e7Schristos 90*66bae5e7Schristos=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 91*66bae5e7Schristos 92*66bae5e7SchristosThe key format; unspecified by default. 93*66bae5e7SchristosSee L<openssl-format-options(1)> for details. 94*66bae5e7Schristos 95*66bae5e7Schristos=item B<-passin> I<arg> 96*66bae5e7Schristos 97*66bae5e7SchristosThe input key password source. For more information about the format of I<arg> 98*66bae5e7Schristossee L<openssl-passphrase-options(1)>. 99*66bae5e7Schristos 100*66bae5e7Schristos=item B<-peerkey> I<file> 101*66bae5e7Schristos 102*66bae5e7SchristosThe peer key file, used by key derivation (agreement) operations. 103*66bae5e7Schristos 104*66bae5e7Schristos=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 105*66bae5e7Schristos 106*66bae5e7SchristosThe peer key format; unspecified by default. 107*66bae5e7SchristosSee L<openssl-format-options(1)> for details. 108*66bae5e7Schristos 109*66bae5e7Schristos=item B<-pubin> 110*66bae5e7Schristos 111*66bae5e7SchristosThe input file is a public key. 112*66bae5e7Schristos 113*66bae5e7Schristos=item B<-certin> 114*66bae5e7Schristos 115*66bae5e7SchristosThe input is a certificate containing a public key. 116*66bae5e7Schristos 117*66bae5e7Schristos=item B<-rev> 118*66bae5e7Schristos 119*66bae5e7SchristosReverse the order of the input buffer. This is useful for some libraries 120*66bae5e7Schristos(such as CryptoAPI) which represent the buffer in little endian format. 121*66bae5e7Schristos 122*66bae5e7Schristos=item B<-sign> 123*66bae5e7Schristos 124*66bae5e7SchristosSign the input data (which must be a hash) and output the signed result. This 125*66bae5e7Schristosrequires a private key. 126*66bae5e7Schristos 127*66bae5e7Schristos=item B<-verify> 128*66bae5e7Schristos 129*66bae5e7SchristosVerify the input data (which must be a hash) against the signature file and 130*66bae5e7Schristosindicate if the verification succeeded or failed. 131*66bae5e7Schristos 132*66bae5e7Schristos=item B<-verifyrecover> 133*66bae5e7Schristos 134*66bae5e7SchristosVerify the input data (which must be a hash) and output the recovered data. 135*66bae5e7Schristos 136*66bae5e7Schristos=item B<-encrypt> 137*66bae5e7Schristos 138*66bae5e7SchristosEncrypt the input data using a public key. 139*66bae5e7Schristos 140*66bae5e7Schristos=item B<-decrypt> 141*66bae5e7Schristos 142*66bae5e7SchristosDecrypt the input data using a private key. 143*66bae5e7Schristos 144*66bae5e7Schristos=item B<-derive> 145*66bae5e7Schristos 146*66bae5e7SchristosDerive a shared secret using the peer key. 147*66bae5e7Schristos 148*66bae5e7Schristos=item B<-kdf> I<algorithm> 149*66bae5e7Schristos 150*66bae5e7SchristosUse key derivation function I<algorithm>. The supported algorithms are 151*66bae5e7Schristosat present B<TLS1-PRF> and B<HKDF>. 152*66bae5e7SchristosNote: additional parameters and the KDF output length will normally have to be 153*66bae5e7Schristosset for this to work. 154*66bae5e7SchristosSee L<EVP_PKEY_CTX_set_hkdf_md(3)> and L<EVP_PKEY_CTX_set_tls1_prf_md(3)> 155*66bae5e7Schristosfor the supported string parameters of each algorithm. 156*66bae5e7Schristos 157*66bae5e7Schristos=item B<-kdflen> I<length> 158*66bae5e7Schristos 159*66bae5e7SchristosSet the output length for KDF. 160*66bae5e7Schristos 161*66bae5e7Schristos=item B<-pkeyopt> I<opt>:I<value> 162*66bae5e7Schristos 163*66bae5e7SchristosPublic key options specified as opt:value. See NOTES below for more details. 164*66bae5e7Schristos 165*66bae5e7Schristos=item B<-pkeyopt_passin> I<opt>[:I<passarg>] 166*66bae5e7Schristos 167*66bae5e7SchristosAllows reading a public key option I<opt> from stdin or a password source. 168*66bae5e7SchristosIf only I<opt> is specified, the user will be prompted to enter a password on 169*66bae5e7Schristosstdin. Alternatively, I<passarg> can be specified which can be any value 170*66bae5e7Schristossupported by L<openssl-passphrase-options(1)>. 171*66bae5e7Schristos 172*66bae5e7Schristos=item B<-hexdump> 173*66bae5e7Schristos 174*66bae5e7Schristoshex dump the output data. 175*66bae5e7Schristos 176*66bae5e7Schristos=item B<-asn1parse> 177*66bae5e7Schristos 178*66bae5e7SchristosParse the ASN.1 output data, this is useful when combined with the 179*66bae5e7SchristosB<-verifyrecover> option when an ASN1 structure is signed. 180*66bae5e7Schristos 181*66bae5e7Schristos{- $OpenSSL::safe::opt_engine_item -} 182*66bae5e7Schristos 183*66bae5e7Schristos{- output_off() if $disabled{"deprecated-3.0"}; "" -} 184*66bae5e7Schristos=item B<-engine_impl> 185*66bae5e7Schristos 186*66bae5e7SchristosWhen used with the B<-engine> option, it specifies to also use 187*66bae5e7Schristosengine I<id> for crypto operations. 188*66bae5e7Schristos{- output_on() if $disabled{"deprecated-3.0"}; "" -} 189*66bae5e7Schristos 190*66bae5e7Schristos{- $OpenSSL::safe::opt_r_item -} 191*66bae5e7Schristos 192*66bae5e7Schristos{- $OpenSSL::safe::opt_provider_item -} 193*66bae5e7Schristos 194*66bae5e7Schristos{- $OpenSSL::safe::opt_config_item -} 195*66bae5e7Schristos 196*66bae5e7Schristos=back 197*66bae5e7Schristos 198*66bae5e7Schristos=head1 NOTES 199*66bae5e7Schristos 200*66bae5e7SchristosThe operations and options supported vary according to the key algorithm 201*66bae5e7Schristosand its implementation. The OpenSSL operations and options are indicated below. 202*66bae5e7Schristos 203*66bae5e7SchristosUnless otherwise mentioned all algorithms support the B<digest:>I<alg> option 204*66bae5e7Schristoswhich specifies the digest in use for sign, verify and verifyrecover operations. 205*66bae5e7SchristosThe value I<alg> should represent a digest name as used in the 206*66bae5e7SchristosEVP_get_digestbyname() function for example B<sha1>. This value is not used to 207*66bae5e7Schristoshash the input data. It is used (by some algorithms) for sanity-checking the 208*66bae5e7Schristoslengths of data passed in and for creating the structures that make up the 209*66bae5e7Schristossignature (e.g. B<DigestInfo> in RSASSA PKCS#1 v1.5 signatures). 210*66bae5e7Schristos 211*66bae5e7SchristosThis command does not hash the input data (except where -rawin is used) but 212*66bae5e7Schristosrather it will use the data directly as input to the signature algorithm. 213*66bae5e7SchristosDepending on the key type, signature type, and mode of padding, the maximum 214*66bae5e7Schristosacceptable lengths of input data differ. The signed data can't be longer than 215*66bae5e7Schristosthe key modulus with RSA. In case of ECDSA and DSA the data shouldn't be longer 216*66bae5e7Schristosthan the field size, otherwise it will be silently truncated to the field size. 217*66bae5e7SchristosIn any event the input size must not be larger than the largest supported digest 218*66bae5e7Schristossize. 219*66bae5e7Schristos 220*66bae5e7SchristosIn other words, if the value of digest is B<sha1> the input should be the 20 221*66bae5e7Schristosbytes long binary encoding of the SHA-1 hash function output. 222*66bae5e7Schristos 223*66bae5e7Schristos=head1 RSA ALGORITHM 224*66bae5e7Schristos 225*66bae5e7SchristosThe RSA algorithm generally supports the encrypt, decrypt, sign, 226*66bae5e7Schristosverify and verifyrecover operations. However, some padding modes 227*66bae5e7Schristossupport only a subset of these operations. The following additional 228*66bae5e7SchristosB<pkeyopt> values are supported: 229*66bae5e7Schristos 230*66bae5e7Schristos=over 4 231*66bae5e7Schristos 232*66bae5e7Schristos=item B<rsa_padding_mode:>I<mode> 233*66bae5e7Schristos 234*66bae5e7SchristosThis sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for 235*66bae5e7SchristosPKCS#1 padding, B<none> for no padding, B<oaep> 236*66bae5e7Schristosfor B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS. 237*66bae5e7Schristos 238*66bae5e7SchristosIn PKCS#1 padding if the message digest is not set then the supplied data is 239*66bae5e7Schristossigned or verified directly instead of using a B<DigestInfo> structure. If a 240*66bae5e7Schristosdigest is set then the a B<DigestInfo> structure is used and its the length 241*66bae5e7Schristosmust correspond to the digest type. 242*66bae5e7Schristos 243*66bae5e7SchristosFor B<oaep> mode only encryption and decryption is supported. 244*66bae5e7Schristos 245*66bae5e7SchristosFor B<x931> if the digest type is set it is used to format the block data 246*66bae5e7Schristosotherwise the first byte is used to specify the X9.31 digest ID. Sign, 247*66bae5e7Schristosverify and verifyrecover are can be performed in this mode. 248*66bae5e7Schristos 249*66bae5e7SchristosFor B<pss> mode only sign and verify are supported and the digest type must be 250*66bae5e7Schristosspecified. 251*66bae5e7Schristos 252*66bae5e7Schristos=item B<rsa_pss_saltlen:>I<len> 253*66bae5e7Schristos 254*66bae5e7SchristosFor B<pss> mode only this option specifies the salt length. Three special 255*66bae5e7Schristosvalues are supported: B<digest> sets the salt length to the digest length, 256*66bae5e7SchristosB<max> sets the salt length to the maximum permissible value. When verifying 257*66bae5e7SchristosB<auto> causes the salt length to be automatically determined based on the 258*66bae5e7SchristosB<PSS> block structure. 259*66bae5e7Schristos 260*66bae5e7Schristos=item B<rsa_mgf1_md:>I<digest> 261*66bae5e7Schristos 262*66bae5e7SchristosFor PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not 263*66bae5e7Schristosexplicitly set in PSS mode then the signing digest is used. 264*66bae5e7Schristos 265*66bae5e7Schristos=item B<rsa_oaep_md:>I<digest> 266*66bae5e7Schristos 267*66bae5e7SchristosSets the digest used for the OAEP hash function. If not explicitly set then 268*66bae5e7SchristosSHA1 is used. 269*66bae5e7Schristos 270*66bae5e7Schristos=back 271*66bae5e7Schristos 272*66bae5e7Schristos=head1 RSA-PSS ALGORITHM 273*66bae5e7Schristos 274*66bae5e7SchristosThe RSA-PSS algorithm is a restricted version of the RSA algorithm which only 275*66bae5e7Schristossupports the sign and verify operations with PSS padding. The following 276*66bae5e7Schristosadditional B<-pkeyopt> values are supported: 277*66bae5e7Schristos 278*66bae5e7Schristos=over 4 279*66bae5e7Schristos 280*66bae5e7Schristos=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>, 281*66bae5e7SchristosB<rsa_mgf1_md:>I<digest> 282*66bae5e7Schristos 283*66bae5e7SchristosThese have the same meaning as the B<RSA> algorithm with some additional 284*66bae5e7Schristosrestrictions. The padding mode can only be set to B<pss> which is the 285*66bae5e7Schristosdefault value. 286*66bae5e7Schristos 287*66bae5e7SchristosIf the key has parameter restrictions than the digest, MGF1 288*66bae5e7Schristosdigest and salt length are set to the values specified in the parameters. 289*66bae5e7SchristosThe digest and MG cannot be changed and the salt length cannot be set to a 290*66bae5e7Schristosvalue less than the minimum restriction. 291*66bae5e7Schristos 292*66bae5e7Schristos=back 293*66bae5e7Schristos 294*66bae5e7Schristos=head1 DSA ALGORITHM 295*66bae5e7Schristos 296*66bae5e7SchristosThe DSA algorithm supports signing and verification operations only. Currently 297*66bae5e7Schristosthere are no additional B<-pkeyopt> options other than B<digest>. The SHA1 298*66bae5e7Schristosdigest is assumed by default. 299*66bae5e7Schristos 300*66bae5e7Schristos=head1 DH ALGORITHM 301*66bae5e7Schristos 302*66bae5e7SchristosThe DH algorithm only supports the derivation operation and no additional 303*66bae5e7SchristosB<-pkeyopt> options. 304*66bae5e7Schristos 305*66bae5e7Schristos=head1 EC ALGORITHM 306*66bae5e7Schristos 307*66bae5e7SchristosThe EC algorithm supports sign, verify and derive operations. The sign and 308*66bae5e7Schristosverify operations use ECDSA and derive uses ECDH. SHA1 is assumed by default for 309*66bae5e7Schristosthe B<-pkeyopt> B<digest> option. 310*66bae5e7Schristos 311*66bae5e7Schristos=head1 X25519 AND X448 ALGORITHMS 312*66bae5e7Schristos 313*66bae5e7SchristosThe X25519 and X448 algorithms support key derivation only. Currently there are 314*66bae5e7Schristosno additional options. 315*66bae5e7Schristos 316*66bae5e7Schristos=head1 ED25519 AND ED448 ALGORITHMS 317*66bae5e7Schristos 318*66bae5e7SchristosThese algorithms only support signing and verifying. OpenSSL only implements the 319*66bae5e7Schristos"pure" variants of these algorithms so raw data can be passed directly to them 320*66bae5e7Schristoswithout hashing them first. The option B<-rawin> must be used with these 321*66bae5e7Schristosalgorithms with no B<-digest> specified. Additionally OpenSSL only supports 322*66bae5e7Schristos"oneshot" operation with these algorithms. This means that the entire file to 323*66bae5e7Schristosbe signed/verified must be read into memory before processing it. Signing or 324*66bae5e7SchristosVerifying very large files should be avoided. Additionally the size of the file 325*66bae5e7Schristosmust be known for this to work. If the size of the file cannot be determined 326*66bae5e7Schristos(for example if the input is stdin) then the sign or verify operation will fail. 327*66bae5e7Schristos 328*66bae5e7Schristos=head1 SM2 329*66bae5e7Schristos 330*66bae5e7SchristosThe SM2 algorithm supports sign, verify, encrypt and decrypt operations. For 331*66bae5e7Schristosthe sign and verify operations, SM2 requires an Distinguishing ID string to 332*66bae5e7Schristosbe passed in. The following B<-pkeyopt> value is supported: 333*66bae5e7Schristos 334*66bae5e7Schristos=over 4 335*66bae5e7Schristos 336*66bae5e7Schristos=item B<distid:>I<string> 337*66bae5e7Schristos 338*66bae5e7SchristosThis sets the ID string used in SM2 sign or verify operations. While verifying 339*66bae5e7Schristosan SM2 signature, the ID string must be the same one used when signing the data. 340*66bae5e7SchristosOtherwise the verification will fail. 341*66bae5e7Schristos 342*66bae5e7Schristos=item B<hexdistid:>I<hex_string> 343*66bae5e7Schristos 344*66bae5e7SchristosThis sets the ID string used in SM2 sign or verify operations. While verifying 345*66bae5e7Schristosan SM2 signature, the ID string must be the same one used when signing the data. 346*66bae5e7SchristosOtherwise the verification will fail. The ID string provided with this option 347*66bae5e7Schristosshould be a valid hexadecimal value. 348*66bae5e7Schristos 349*66bae5e7Schristos=back 350*66bae5e7Schristos 351*66bae5e7Schristos=head1 EXAMPLES 352*66bae5e7Schristos 353*66bae5e7SchristosSign some data using a private key: 354*66bae5e7Schristos 355*66bae5e7Schristos openssl pkeyutl -sign -in file -inkey key.pem -out sig 356*66bae5e7Schristos 357*66bae5e7SchristosRecover the signed data (e.g. if an RSA key is used): 358*66bae5e7Schristos 359*66bae5e7Schristos openssl pkeyutl -verifyrecover -in sig -inkey key.pem 360*66bae5e7Schristos 361*66bae5e7SchristosVerify the signature (e.g. a DSA key): 362*66bae5e7Schristos 363*66bae5e7Schristos openssl pkeyutl -verify -in file -sigfile sig -inkey key.pem 364*66bae5e7Schristos 365*66bae5e7SchristosSign data using a message digest value (this is currently only valid for RSA): 366*66bae5e7Schristos 367*66bae5e7Schristos openssl pkeyutl -sign -in file -inkey key.pem -out sig -pkeyopt digest:sha256 368*66bae5e7Schristos 369*66bae5e7SchristosDerive a shared secret value: 370*66bae5e7Schristos 371*66bae5e7Schristos openssl pkeyutl -derive -inkey key.pem -peerkey pubkey.pem -out secret 372*66bae5e7Schristos 373*66bae5e7SchristosHexdump 48 bytes of TLS1 PRF using digest B<SHA256> and shared secret and 374*66bae5e7Schristosseed consisting of the single byte 0xFF: 375*66bae5e7Schristos 376*66bae5e7Schristos openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \ 377*66bae5e7Schristos -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump 378*66bae5e7Schristos 379*66bae5e7SchristosDerive a key using B<scrypt> where the password is read from command line: 380*66bae5e7Schristos 381*66bae5e7Schristos openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass \ 382*66bae5e7Schristos -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1 383*66bae5e7Schristos 384*66bae5e7SchristosDerive using the same algorithm, but read key from environment variable MYPASS: 385*66bae5e7Schristos 386*66bae5e7Schristos openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass:env:MYPASS \ 387*66bae5e7Schristos -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1 388*66bae5e7Schristos 389*66bae5e7SchristosSign some data using an L<SM2(7)> private key and a specific ID: 390*66bae5e7Schristos 391*66bae5e7Schristos openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \ 392*66bae5e7Schristos -pkeyopt distid:someid 393*66bae5e7Schristos 394*66bae5e7SchristosVerify some data using an L<SM2(7)> certificate and a specific ID: 395*66bae5e7Schristos 396*66bae5e7Schristos openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \ 397*66bae5e7Schristos -rawin -digest sm3 -pkeyopt distid:someid 398*66bae5e7Schristos 399*66bae5e7SchristosDecrypt some data using a private key with OAEP padding using SHA256: 400*66bae5e7Schristos 401*66bae5e7Schristos openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \ 402*66bae5e7Schristos -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 403*66bae5e7Schristos 404*66bae5e7Schristos=head1 SEE ALSO 405*66bae5e7Schristos 406*66bae5e7SchristosL<openssl(1)>, 407*66bae5e7SchristosL<openssl-genpkey(1)>, 408*66bae5e7SchristosL<openssl-pkey(1)>, 409*66bae5e7SchristosL<openssl-rsautl(1)> 410*66bae5e7SchristosL<openssl-dgst(1)>, 411*66bae5e7SchristosL<openssl-rsa(1)>, 412*66bae5e7SchristosL<openssl-genrsa(1)>, 413*66bae5e7SchristosL<openssl-kdf(1)> 414*66bae5e7SchristosL<EVP_PKEY_CTX_set_hkdf_md(3)>, 415*66bae5e7SchristosL<EVP_PKEY_CTX_set_tls1_prf_md(3)>, 416*66bae5e7Schristos 417*66bae5e7Schristos=head1 HISTORY 418*66bae5e7Schristos 419*66bae5e7SchristosThe B<-engine> option was deprecated in OpenSSL 3.0. 420*66bae5e7Schristos 421*66bae5e7Schristos=head1 COPYRIGHT 422*66bae5e7Schristos 423*66bae5e7SchristosCopyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. 424*66bae5e7Schristos 425*66bae5e7SchristosLicensed under the Apache License 2.0 (the "License"). You may not use 426*66bae5e7Schristosthis file except in compliance with the License. You can obtain a copy 427*66bae5e7Schristosin the file LICENSE in the source distribution or at 428*66bae5e7SchristosL<https://www.openssl.org/source/license.html>. 429*66bae5e7Schristos 430*66bae5e7Schristos=cut 431