n 2 step crypto hash compare --alg sha512-256 '''^(((([a-zA-Z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])+(\.([a-zA-Z]|\d|[!#\$%&'\*\+\-\/=\?\^_`{\|}~]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])+)*)|((\x22)((((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(([\x01-\x08\x0b\x0c\x0e-\x1f\x7f]|\x21|[\x23-\x5b]|[\x5d-\x7e]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])|(\([\x01-\x09\x0b\x0c\x0d-\x7f]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}]))))*(((\x20|\x09)*(\x0d\x0a))?(\x20|\x09)+)?(\x22)))@((([a-zA-Z]|\d|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])|(([a-zA-Z]|\d|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])([a-zA-Z]|\d|-|\.|_|~|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])*([a-zA-Z]|\d|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])))\.)+(([a-zA-Z]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])|(([a-zA-Z]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])([a-zA-Z]|\d|-|_|~|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])*([a-zA-Z]|[\x{00A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}])))\.?$**step base64** implements base64 encoding as specified by RFC 4648. ## Examples Encode to base64 using the standard encoding: ''' $ echo -n This is the string to encode | step base64 VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== $ step base64 This is the string to encode VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== ''' Decode a base64 encoded string: ''' $ echo VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ== | step base64 -d This is the string to encode ''' Encode to base64 without padding: ''' $ echo -n This is the string to encode | step base64 -r VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ $ step base64 -r This is the string to encode VGhpcyBpcyB0aGUgc3RyaW5nIHRvIGVuY29kZQ ''' Encode to base64 using the url encoding: ''' $ echo 'abc123$%^&*()_+-=~' | step base64 -u YWJjMTIzJCVeJiooKV8rLT1-Cg== ''' Decode an url encoded base64 string. The encoding type can be enforced using the '-u' or '-r' flags, but it will be auto-detected if they are not passed: ''' $ echo YWJjMTIzJCVeJiooKV8rLT1-Cg== | step base64 -d abc123$%^&*()_+-=~ $ echo YWJjMTIzJCVeJiooKV8rLT1-Cg== | step base64 -d -u abc123$%^&*()_+-=~ '''**%s** command manages email addresses and domains in policies ## EXAMPLES Allow all email addresses for the example.com domain in X.509 certificates on authority level ''' $ step ca policy authority x509 allow email @example.com ''' Remove the email addresses for the example.com domain in X.509 certificates on authority level ''' $ step ca policy authority x509 allow email @example.com --remove ''' Deny badmail@example.com in X.509 certificates on authority level ''' $ step ca policy authority x509 deny email badmail@example.com ''' Allow all email addresses for the example.com domain in X.509 certificates on provisioner level ''' $ step ca policy provisioner x509 allow email @example.com --provisioner my_provisioner ''' Allow all local parts for the example.com domain in SSH user certificates on provisioner level ''' $ step ca policy provisioner ssh user allow email @example.com --provisioner my_provisioner ''' Deny root@example.com domain in SSH user certificates on provisioner level ''' $ step ca policy provisioner ssh user deny email @example.com --provisioner my_provisioner '''^((ftp|tcp|udp|wss?|https?):\/\/)?(\S+(:\S*)?@)?((([1-9]\d?|1\d\d|2[01]\d|22[0-3]|24\d|25[0-5])(\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])){2}(?:\.([0-9]\d?|1\d\d|2[0-4]\d|25[0-5]))|(\[(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\])|(([a-zA-Z0-9]([a-zA-Z0-9-_]+)?[a-zA-Z0-9]([-\.][a-zA-Z0-9]+)*)|(((www\.)|([a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])*[a-zA-Z0-9]\.[a-zA-Z0-9]+))?))?(([a-zA-Z\x{00a1}-\x{ffff}0-9]+-?-?)*[a-zA-Z\x{00a1}-\x{ffff}0-9]+)(?:\.([a-zA-Z\x{00a1}-\x{ffff}]{1,}))?))\.?(:(\d{1,5}))?((\/|\?|#)[^\s]*)?$**step ssh needs-renewal** returns '0' if the SSH certificate needs to be renewed based on it's remaining lifetime. Returns '1' if the SSH certificate is within it's validity lifetime bounds and does not need to be renewed. By default, an SSH certificate "needs renewal" when it has passed 66% (default threshold) of it's allotted lifetime. This threshold can be adjusted using the '--expires-in' flag. ## POSITIONAL ARGUMENTS : The path to an SSH certificate. ## EXIT CODES This command returns '0' if the SSH certificate needs renewal, '1' if the SSH certificate does not need renewal, '2' if the SSH certificate file does not exist, and '255' for any other error. ## EXAMPLES Check if an SSH certificate needs renewal using the default threshold (66%): ''' $ step ssh needs-renewal ./ssh_host_ed25519_key.pub ''' Check if certificate will expire within a given duration: ''' $ step ssh needs-renewal ./ssh_host_ed25519_key.pub --expires-in 1h15m ''' Check if an SSH certificate has passed 75 percent of it's lifetime: ''' $ step certificate needs-renewal ./ssh_host_ed25519_key.pub --expires-in 75% ''' -----BEGIN CERTIFICATE----- MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1 YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2 cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0 1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2 lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8 SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7 -----END CERTIFICATE-----The **step crypto nacl** command group is a thin CLI wrapper around the NaCl (pronounced "salt") cryptography library. NaCl's goal is to provide all of the core operations needed to build higher-level cryptographic tools. Perhaps its biggest advantage is simplicity. NaCl was designed to be easy to use and hard to misuse. Typical cryptographic libraries force you to specify choices for cryptographic primitives and constructions (e.g., sign this message with 4096-bit RSA using PKCS#1 v2.0 with SHA-256). But most people are not cryptographers. These choices become foot guns. By contrast, NaCl allows you to simply say "sign this message". NaCl ships with a preselected choice -- a state-of-the-art signature system suitable for most applications -- and it has a side mechanism through which a cryptographer can easily override the choice of signature system. There are language bindings and pure implementations of NaCl for all major languages. For internal use cases where compatibility with open standards like JWT are not an issue, NaCl should be your default choice for cryptographic needs. For more information on NaCl visit https://nacl.cr.yp.to**step certificate lint** checks a certificate for common errors and outputs the result in JSON format. It is intended for evaluating Web PKI certificates, and may not be appropriate for internal PKIs. ## POSITIONAL ARGUMENTS : Path to a certificate or certificate signing request (CSR) to lint. ## EXIT CODES This command returns 0 on success and \>0 if any error occurs. ## EXAMPLES ''' $ step certificate lint ./certificate.crt ''' Lint a remote certificate (using the default root certificate bundle to verify the server): ''' $ step certificate lint https://smallstep.com ''' Lint a remote certificate using a custom root certificate to verify the server: ''' $ step certificate lint https://smallstep.com --roots ./certificate.crt ''' Lint a remote certificate using a custom list of root certificates to verify the server: ''' $ step certificate lint https://smallstep.com \ --roots "./certificate.crt,./certificate2.crt,/certificate3.crt" ''' Lint a remote certificate using a custom directory of root certificates to verify the server: ''' $ step certificate lint https://smallstep.com --roots "./path/to/certificates/" ''' -----BEGIN CERTIFICATE----- MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0 dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/ U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1 XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W Vpmq2Sh/xT5HiFuhf4wJb0bK -----END CERTIFICATE-----SiblingLocationNameOrderingByteSizeBitOffsetBitSizeStmtListLowpcHighpcLanguageDiscrDiscrValueVisibilityImportStringLengthCommonRefCompDirConstValueContainingTypeDefaultValueInlineIsOptionalLowerBoundProducerPrototypedReturnAddrStartScopeStrideSizeUpperBoundAbstractOriginAccessibilityAddrClassArtificialBaseTypesCallingCountDataMemberLocDeclColumnDeclFileDeclLineDeclarationDiscrListEncodingExternalFrameBaseFriendIdentifierCaseMacroInfoNamelistItemPrioritySegmentSpecificationStaticLinkTypeUseLocationVarParamVirtualityVtableElemLocAllocatedAssociatedDataLocationStrideEntrypcUseUTF8ExtensionRangesTrampolineCallColumnCallFileCallLineDescriptionBinaryScaleDecimalScaleSmallDecimalSignDigitCountPictureStringMutableThreadsScaledExplicitObjectPointerEndianityElementalPureRecursiveSignatureMainSubprogramDataBitOffsetConstExprEnumClassLinkageNameStringLengthBitSizeStringLengthByteSizeRankStrOffsetsBaseAddrBaseRnglistsBaseDwoNameReferenceRvalueReferenceMacrosCallAllCallsCallAllSourceCallsCallAllTailCallsCallReturnPCCallValueCallOriginCallParameterCallPCCallTailCallCallTargetCallTargetClobberedCallDataLocationCallDataValueNoreturnAlignmentExportSymbolsDeletedDefaultedLoclistsBaseThe 'step crypto kdf compare' command compares a plaintext value (e.g., a password) with an existing KDF password hash in PHC string format. The PHC string input indicates which KDF algorithm and parameters to use. If the input matches the command prints a human readable message indicating success to STDERR and returns 0. If the input does not match an error will be printed to STDERR and the command will exit with a non-zero return code. If this command is run without the optional argument and STDIN is a TTY (i.e., you're running the command in an interactive terminal and not piping input to it) you'll be prompted to enter a value on STDERR. If STDIN is not a TTY it will be read without prompting. For examples, see **step help crypto kdf**. POSITIONAL ARGUMENTS : The KDF password hash in PHC string format. : The plaintext value to compare with . is optional and its use is not recommended. If this argument is provided the **--insecure** flag must also be provided because your (presumably secret) will likely be logged and appear in places you might not expect. If omitted input is read from STDIN.**step ca provisioner webhook add** adds a webhook to a provisioner. The command will print the webhook ID and secret that must be used to verify all requests from step CA. ## POSITIONAL ARGUMENTS : The name of the provisioner. : The name of the webhook. ## EXAMPLES Create a webhook without an Authorization header: ''' step ca provisioner webhook add my_provisioner my_webhook --url https://example.com ''' Create a webhook with a bearer token: ''' step ca provisioner webhook add my_provisioner my_webhook --url https://example.com --bearer-token-file token.txt ''' Create a webhook with basic authentication: ''' step ca provisioner webhook add my_provisioner my_webhook --url https://example.com --basic-auth-username user --basic-auth-password-file pass.txt ''' Create a webhook that will never send a client certificate to the webhook server: ''' step ca provisioner webhook add my_provisioner my_webhook --url https://example.com --disable-tls-client-auth ''' Create a webhook that will only be called when signing x509 certificates: ''' step ca provisioner webhook add my_provisioner my_webhook --url https://example.com --cert-type X509 '''With a SCEP provisioner the is a shared secret between a client and the CA. With an ACME provisioner, this flag specifies the or challenges to enable. Use the flag multiple times to configure multiple challenges. The supported ACME challenges are: **http-01** : With the HTTP challenge, the client in an ACME transaction proves its control over a domain name by proving that it can provision HTTP resources on a server accessible under that domain name. **dns-01** : With the DNS challenge, the client can prove control of a domain by provisioning a TXT resource record containing a designated value for a specific validation domain name. **tls-alpn-01** : With the TLS with Application-Layer Protocol Negotiation (TLS ALPN) challenge, the client can prove control over a domain name by configuring a TLS server to respond to specific connection attempts using the ALPN extension with identifying information. **device-attest-01** : With the device attestation challenge, the client can prove control over a permanent identifier of a device by providing an attestation statement containing the identifier of the device. If the provisioner has no challenges configured, http-01, dns-01 and tls-alpn-01 will be automatically enabled.**step crypto jose format** reads a JWT, a JWS, or a JWE from STDIN swaps the serialization of the content, from compact to JSON or from JSON to compact. ## EXAMPLES Transform a JSON encrypted message to the compact serialization format: ''' $ echo The message | step crypto jwe encrypt --key p256.enc.pub | step crypto jose format eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlNTR1pNdjZyMGlHbmtsMnpKRERXS1JlaDU4R3RwTjVjT2tBZnlaaUI0enMiLCJ5IjoiLUJzQ2w5RjZNd28zRWZoTFJIeVdDbGlxU2d6T2tubzNuWW80azlPSVk0TSJ9LCJraWQiOiJHd0tSTUdXY1pWNFE2dGZZblpjZm90N090N2hjQ0t2cUJPVWljX0JoZ0gwIn0 . . iJNn8SrqE8I5Bhog . NO9FfC25Ow9ogzq1.6M3Jiy_osGwlioJjXPyl9w ''' Transform a compact token to the JSON serialization format: ''' $ step crypto jwt sign --key p256.priv.json --iss "joe" --aud "bob" \ --sub "hello" --exp $(date -v+1M +"%s") | step crypto jose format { "payload":"eyJhdWQiOiJib2IiLCJleHAiOjE1MzUyNDE4OTYsImlhdCI6MTUzMjU2MzQ5OCwiaXNzIjoiam9lIiwibmJmIjoxNTMyNTYzNDk4LCJzdWIiOiJoZWxsbyJ9", "protected":"eyJhbGciOiJFUzI1NiIsImtpZCI6IlpqR1g5N0xtY2ZsUG9sV3Zzb0FXekM1V1BXa05GRkgzUWRLTFVXOTc4aGsiLCJ0eXAiOiJKV1QifQ", "signature":"wlRDGrjQItHFu5j2H4A4T6_P5Ek00ugJXQ3iIXibsZjU96_BaqddnAqFWeKpb6xHWGRAHKtlm9bUYBfLQ8Jlsg" } '''**step crypto nacl sign** command group uses public-key cryptography to sign and verify messages. The implementation is based on NaCl's crypto_sign function. NaCl crypto_sign is crypto_sign_edwards25519sha512batch, a particular combination of Curve25519 in Edwards form and SHA-512 into a signature scheme suitable for high-speed batch verification. This function is conjectured to meet the standard notion of unforgeability under chosen-message attacks. These commands are interoperable with NaCl: https://nacl.cr.yp.to/sign.html ## EXAMPLES Create a keypair for verifying and signing messages: ''' $ step crypto nacl sign keypair nacl.sign.pub nacl.sign.priv ''' Sign a message using the private key: ''' $ step crypto nacl sign sign nacl.sign.priv Please enter text to sign: ******** rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U $ cat message.txt | step crypto nacl sign sign ~/step/keys/nacl.recipient.sign.priv rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U ''' Verify the signed message using the public key: ''' $ echo rNrOfqsv4svlRnVPSVYe2REXodL78yEMHtNkzAGNp4MgHuVGoyayp0zx4D5rjTzYVVrD2HRP306ZILT62ohvCG1lc3NhZ2U \ | step crypto nacl sign open nacl.sign.pub message '''The signature or MAC algorithm to use. Algorithms are case-sensitive strings defined in RFC7518. The selected algorithm must be compatible with the key type. This flag is optional. If not specified, the "alg" member of the JWK is used. If the JWK has no "alg" member then a default is selected depending on the JWK key type. If the JWK has an "alg" member and the "alg" flag is passed the two options must match unless the '--subtle' flag is also passed. : is a case-sensitive string and must be one of: **HS256** : HMAC using SHA-256 (default for "oct" key type) **HS384** : HMAC using SHA-384 **HS512** : HMAC using SHA-512 **RS256** : RSASSA-PKCS1-v1_5 using SHA-256 (default for "RSA" key type) **RS384** : RSASSA-PKCS1-v1_5 using SHA-384 **RS512** : RSASSA-PKCS1-v1_5 using SHA-512 **ES256** : ECDSA using P-256 and SHA-256 (default for "EC" key type) **ES384** : ECDSA using P-384 and SHA-384 **ES512** : ECDSA using P-521 and SHA-512 **PS256** : RSASSA-PSS using SHA-256 and MGF1 with SHA-256 **PS384** : RSASSA-PSS using SHA-384 and MGF1 with SHA-384 **PS512** : RSASSA-PSS using SHA-512 and MGF1 with SHA-512 **EdDSA** : EdDSA signature algorithmAAAAACSCADNDAEREAFFGAGTGAIIAALLBAMRMANNTAOGOAQTAARRGASSMATUTAUUSAWBWAXLAAZZEBAIHBBRBBDGDBEELBFFABGGRBHHRBIDIBJENBLLMBMMUBNRNBOOLBQESBRRABSHSBTTNBUURBVVTBWWABYLRBZLZCAANCCCKCDODCFAFCGOGCHHECIIVCKOKCLHLCMMRCNHNCOOLCPPTCQ CRRICS