diff --git a/.gitignore b/.gitignore index ba9c8551..33595f5b 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ CLAUDE.md /index.txt /serial-file-test /rand-file-test +manpages/*.1.gz diff --git a/Makefile.am b/Makefile.am index 65832320..30596ceb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,11 +44,49 @@ EXTRA_DIST+= wolfclu.sln EXTRA_DIST+= wolfCLU.vcxproj EXTRA_DIST+= wolfCLU.vcxproj.filters -man_MANS+= manpages/wolfCLU_benchmark.1 -man_MANS+= manpages/wolfCLU_decrypt.1 -man_MANS+= manpages/wolfCLU_encrypt.1 -man_MANS+= manpages/wolfCLU_hash.1 +if ENABLE_MANPAGES man_MANS+= manpages/wolfssl.1 +man_MANS+= manpages/wolfssl-bench.1 +man_MANS+= manpages/wolfssl-decrypt.1 +man_MANS+= manpages/wolfssl-encrypt.1 +man_MANS+= manpages/wolfssl-hash.1 +man_MANS+= manpages/wolfssl-enc.1 +man_MANS+= manpages/wolfssl-ca.1 +man_MANS+= manpages/wolfssl-x509.1 +man_MANS+= manpages/wolfssl-req.1 +man_MANS+= manpages/wolfssl-verify.1 +man_MANS+= manpages/wolfssl-crl.1 +man_MANS+= manpages/wolfssl-genkey.1 +man_MANS+= manpages/wolfssl-pkey.1 +man_MANS+= manpages/wolfssl-rsa.1 +man_MANS+= manpages/wolfssl-ecparam.1 +man_MANS+= manpages/wolfssl-dsaparam.1 +man_MANS+= manpages/wolfssl-dhparam.1 +man_MANS+= manpages/wolfssl-pkcs7.1 +man_MANS+= manpages/wolfssl-pkcs8.1 +man_MANS+= manpages/wolfssl-pkcs12.1 +man_MANS+= manpages/wolfssl-dgst.1 +man_MANS+= manpages/wolfssl-sign_verify.1 +# The keytype pages below are .so aliases for wolfssl-sign_verify.1 (same +# page, different keytype). Shortcut commands with their own synopsis (md5, +# sha256, ...) get full standalone pages instead. .so pages only render once +# installed under man1/. +man_MANS+= manpages/wolfssl-ecc.1 +man_MANS+= manpages/wolfssl-ed25519.1 +man_MANS+= manpages/wolfssl-dilithium.1 +man_MANS+= manpages/wolfssl-xmss.1 +man_MANS+= manpages/wolfssl-xmssmt.1 +man_MANS+= manpages/wolfssl-rand.1 +man_MANS+= manpages/wolfssl-base64.1 +man_MANS+= manpages/wolfssl-s_client.1 +man_MANS+= manpages/wolfssl-s_server.1 +man_MANS+= manpages/wolfssl-ocsp.1 +man_MANS+= manpages/wolfssl-md5.1 +man_MANS+= manpages/wolfssl-sha256.1 +man_MANS+= manpages/wolfssl-sha384.1 +man_MANS+= manpages/wolfssl-sha512.1 +man_MANS+= manpages/wolfssl-version.1 +endif include src/include.am include wolfclu/include.am @@ -84,9 +122,46 @@ TESTS += $(check_SCRIPTS) # When tests live in the source tree (no VPATH), those files land in tests/, # where EXTRA_DIST+=tests would otherwise sweep them into the tarball and # break `make distcheck` via stale VPATH lookups. +# Generate the compressed manpages into the tarball from their .1 sources, +# so the .gz copies are never hand-maintained in git. These ship in the release +# tarball for downstream packaging; they are intentionally not installed +# (man_MANS installs the .1 files, and distros compress man pages themselves). +# -n keeps the output byte-reproducible across dist runs (no embedded +# filename/mtime). Only done if manpages are enabled. dist-hook: find $(distdir)/tests -name '*.log' -delete find $(distdir)/tests -name '*.trs' -delete +if ENABLE_MANPAGES +# Under `make distcheck` the nested dist runs against a read-only srcdir: the +# .1 files, their directory, and the .gz copies from the previous (outer) dist +# all land read-only in the distdir. Make the dir writable and drop any stale +# .gz so the redirect below can recreate them; distcheck's own teardown +# restores write perms before removing the tree, so this is safe. + chmod u+w $(distdir)/manpages + rm -f $(distdir)/manpages/*.1.gz + for f in $(distdir)/manpages/*.1; do gzip -nc "$$f" > "$$f.gz"; done +endif + +if ENABLE_MANPAGES +# On-demand regeneration of the compressed manpages from their .1 sources. +# Run `make manpages-gz` after editing any .1; thanks to the prerequisite +# only the pages whose source actually changed are rebuilt. These .gz are +# gitignored and NOT installed (man_MANS installs the .1 files) -- the +# release tarball gets its own fresh copies via the dist-hook above, so this +# target is purely a local convenience (preview/packaging). It is not wired +# into `all` on purpose: writing into the source tree during a normal build +# would break `make distcheck`, which builds against a read-only srcdir. +# -n keeps the output byte-reproducible (no embedded filename/mtime). +MAN_GZ = $(man_MANS:.1=.1.gz) + +.PHONY: manpages-gz +manpages-gz: $(MAN_GZ) + +%.1.gz: %.1 + gzip -nc "$<" > "$@" + +CLEANFILES += $(MAN_GZ) +endif test: check #DISTCLEANFILES+= wolfssl-config diff --git a/README.md b/README.md index b7e42f76..b3a0a219 100644 --- a/README.md +++ b/README.md @@ -32,16 +32,54 @@ sudo make install If wolfSSL was recently installed run `sudo ldconfig` to update the linker cache. +#### Build Options + +You can customize the build with configure flags: + +``` +./configure --disable-manpages # Skip manpage installation (useful for embedded builds) +./configure --with-wolfssl=PATH # Specify wolfSSL installation path +``` + Now, you should be able to use wolfCLU: ``` wolfssl -h ``` -If everything worked, you should see the wolfCLU help message. +If everything worked, you should see the wolfCLU help message. The manpages are also automatically installed during `make install`, so you can view them immediately: + +``` +man wolfssl +man wolfssl-genkey +man wolfssl-encrypt +``` For instuctions on how to build windows, see [here](ide/winvs/README.md). +## Contributing to Documentation + +### Manpage Building + +Manpages are automatically generated and installed as part of the normal build process (unless disabled with `--disable-manpages`). When you run `make install`, the `.1` source files in the `manpages/` directory are automatically installed to `/usr/share/man/man1/`, making them immediately accessible via the `man` command. + +For developers actively editing manpage files (`.1` files in the `manpages/` directory), you can test changes locally without running the full build: + +```bash +mkdir -p ~/.local/share/man/man1 +cp manpages/*.1 ~/.local/share/man/man1/ +man wolfssl-base64 +``` + +Alternatively, generate compressed versions and view them directly (only available if manpages are enabled): + +```bash +make manpages-gz +man -l manpages/wolfssl-base64.1 +``` + +**Important:** Only commit the `.1` source files to the repository. The `.1.gz` compressed versions are generated on-demand during build and distribution—they are gitignored and should never be tracked in git. + ## Examples ### Key Generation diff --git a/configure.ac b/configure.ac index 71cd0699..a0c98c80 100644 --- a/configure.ac +++ b/configure.ac @@ -80,6 +80,16 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFCLU_NO_FILESYSTEM" fi +# Manpages Build +ENABLED_MANPAGES_DEFAULT=yes +AC_ARG_ENABLE([manpages], + [AS_HELP_STRING([--disable-manpages],[Disable manpage installation (default: enabled)])], + [ ENABLED_MANPAGES=$enableval ], + [ ENABLED_MANPAGES=$ENABLED_MANPAGES_DEFAULT ] + ) + +AM_CONDITIONAL([ENABLE_MANPAGES], [test "$ENABLED_MANPAGES" = "yes"]) + #wolfssl AC_MSG_CHECKING([for wolfSSL]) diff --git a/manpages/gzip_all.sh b/manpages/gzip_all.sh deleted file mode 100755 index c09e8162..00000000 --- a/manpages/gzip_all.sh +++ /dev/null @@ -1,5 +0,0 @@ -gzip < wolfCLU_benchmark.1 > wolfCLU_benchmark.1.gz -gzip < wolfCLU_decrypt.1 > wolfCLU_decrypt.1.gz -gzip < wolfCLU_encrypt.1 > wolfCLU_encrypt.1.gz -gzip < wolfCLU_hash.1 > wolfCLU_hash.1.gz -gzip < wolfssl.1 > wolfssl.1.gz diff --git a/manpages/wolfCLU_benchmark.1 b/manpages/wolfCLU_benchmark.1 deleted file mode 100644 index 7419efc5..00000000 --- a/manpages/wolfCLU_benchmark.1 +++ /dev/null @@ -1,34 +0,0 @@ -.\" Manpage for wolfCLU_benchmark. -.\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl benchmark man page" -.SH NAME -wolfCLU benchmark \- benchmarking utility for testing -.SH SYNOPSIS -wolfssl -bench TESTS [-time ] [-all] [-tests] -.SH DESCRIPTION -Tests algorithm functionality and speed -.SH TESTS --aes-cbc --aes-ctr* --3des* --camellia* --md5 --sha --sha256 --sha384* --sha512* --blake2b* -*(NOTE: Only available through ./configure options) -.SH OPTIONS --time time for each of the tests in seconds -.br -.LP --all runs all available tests -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_benchmark.1.gz b/manpages/wolfCLU_benchmark.1.gz deleted file mode 100644 index 13076ac4..00000000 Binary files a/manpages/wolfCLU_benchmark.1.gz and /dev/null differ diff --git a/manpages/wolfCLU_decrypt.1.gz b/manpages/wolfCLU_decrypt.1.gz deleted file mode 100644 index e0e324d8..00000000 Binary files a/manpages/wolfCLU_decrypt.1.gz and /dev/null differ diff --git a/manpages/wolfCLU_encrypt.1.gz b/manpages/wolfCLU_encrypt.1.gz deleted file mode 100644 index 7683ce3c..00000000 Binary files a/manpages/wolfCLU_encrypt.1.gz and /dev/null differ diff --git a/manpages/wolfCLU_hash.1 b/manpages/wolfCLU_hash.1 deleted file mode 100644 index 5d3c193c..00000000 --- a/manpages/wolfCLU_hash.1 +++ /dev/null @@ -1,37 +0,0 @@ -.\" Manpage for wolfssl command line utility hash. -.\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl hash man page" -.SH NAME -hash \- hashing utility -.SH SYNOPSIS -wolfssl -hash <-algorithm> <-in filename> [-out filename/stdin] [-size size] [-length length] -.SH DESCRIPTION -This command hashes either stdin or a file based on the chosen algorithm -.SH ALGORITHMS --md5 --sha --sha256 -(NOTE: The following are only available if ./configure supports them) --sha384 --sha512 --blake2b -.SH OPTIONS --in filename/stdin the input filename, standard input. If file does not exist, -.br - user will be prompted for file name or input input string -.br -.LP --out filename the output filename, if file does not exist, it will be created -.LP --size size **Usuable only with Blake2b. Block size of the function. -.LP --length length length of message to hash (optional) -** denotes only available for specific algorithm -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_hash.1.gz b/manpages/wolfCLU_hash.1.gz deleted file mode 100644 index 2411a232..00000000 Binary files a/manpages/wolfCLU_hash.1.gz and /dev/null differ diff --git a/manpages/wolfssl-base64.1 b/manpages/wolfssl-base64.1 new file mode 100644 index 00000000..500a2a4e --- /dev/null +++ b/manpages/wolfssl-base64.1 @@ -0,0 +1,31 @@ +.\" Manpage for wolfssl base64. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl base64 man page" +.SH NAME +base64 \- base64 encode or decode data +.SH SYNOPSIS +wolfssl base64 [-in file] [-out file] [-d] +.SH DESCRIPTION +Base64-encodes or decodes data. Defaults to reading from standard input +and writing to standard output when -in/-out are not given. +.SH OPTIONS +-in file input file to encode/decode. +.br +.LP +-out file output file for the encoded/decoded data. +.br +.LP +-d decode the input (default is to encode). +.SH NOTES +Available only when wolfSSL is built with filesystem support and encoding +support (not NO_CODING). +.SH SEE ALSO +.BR wolfssl-enc(1) ", " wolfssl-hash(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-bench.1 b/manpages/wolfssl-bench.1 new file mode 100644 index 00000000..a0280346 --- /dev/null +++ b/manpages/wolfssl-bench.1 @@ -0,0 +1,53 @@ +.\" Manpage for wolfCLU_benchmark. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl benchmark man page" +.SH NAME +bench \- benchmark cryptographic algorithms +.SH SYNOPSIS +wolfssl bench {aes-cbc|aes-ctr|3des|camellia|md5|sha|sha256|sha384|sha512|blake2b|...} [-time ] +.br +wolfssl bench -all [-time ] +.SH DESCRIPTION +Benchmarks the performance of various cryptographic algorithms, measuring how fast they encrypt, decrypt, or hash data. Useful for understanding the speed and efficiency of different algorithms on your system. +.SH TESTS +-aes-cbc +-aes-ctr* +-3des* +-camellia* +-md5 +-sha +-sha256 +-sha384* +-sha512* +-blake2b* +*(NOTE: Only available through ./configure options) +.SH OPTIONS +-time time for each of the tests in seconds +.br +.LP +-all runs all available tests +.SH EXAMPLES +Benchmark AES-CBC encryption for 5 seconds: +.RS +wolfssl bench aes-cbc -time 5 +.RE +.LP +Benchmark SHA-256 hashing for 10 seconds: +.RS +wolfssl bench sha256 -time 10 +.RE +.LP +Run all available benchmarks: +.RS +wolfssl bench -all -time 5 +.RE +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-hash(1) ", " wolfssl(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ca.1 b/manpages/wolfssl-ca.1 new file mode 100644 index 00000000..c00cdcd2 --- /dev/null +++ b/manpages/wolfssl-ca.1 @@ -0,0 +1,90 @@ +.\" Manpage for wolfssl ca. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ca man page" +.SH NAME +ca \- sign certificates from a CSR or self-sign +.SH SYNOPSIS +wolfssl ca [-config file] [-keyfile file] [-cert file] [-in CSR] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-md digest] [-days n] [-extensions section] [-selfsign] [-altkey file] [-altpub file] [-subjkey file] [-altextend] +.SH DESCRIPTION +Acts as a minimal certificate authority. Reads a certificate signing +request (CSR) and issues a signed certificate using the CA certificate and +private key, or self-signs using the supplied key. Most behavior is taken +from the configuration file (see \-config). +.SH OPTIONS +-in file CSR file to read the request from. +.br +.LP +-out file output file for the signed certificate. +.br +.LP +-keyfile file private key used to sign the certificate. +.br +.LP +-cert file CA certificate to issue from. +.br +.LP +-config file configuration file to read CA settings from. +.br +.LP +-inform PEM|DER input format of the CSR. +.br +.LP +-outform PEM|DER output format of the certificate. +.br +.LP +-md digest signing digest to use, e.g. sha256. +.br +.LP +-days n number of days the certificate is valid for. +.br +.LP +-extensions section section of the config file to read extensions from. +.br +.LP +-selfsign sign using the key associated with the certificate +.br + instead of a separate CA certificate. +.br +.LP +-altkey file alternate private key (dual-algorithm certificates; +.br + requires wolfSSL built with WOLFSSL_DUAL_ALG_CERTS and +.br + HAVE_DILITHIUM). +.br +.LP +-altpub file alternate public key (dual-algorithm certificates). +.br +.LP +-subjkey file subject key for dual-algorithm certificates. +.br +.LP +-altextend extend with an alternate key (dual-algorithm certificates). +.SH EXAMPLES +Self-sign a CSR with its own key: +.RS +wolfssl ca -selfsign -in mycsr.pem -keyfile mykey.pem -out mycert.pem -days 365 -md sha256 +.RE +.LP +Sign a CSR as a CA with your CA certificate and key: +.RS +wolfssl ca -in csr.pem -out cert.pem -keyfile ca-key.pem -cert ca-cert.pem -days 365 -md sha256 +.RE +.LP +View the certificate details after signing: +.RS +wolfssl x509 -in cert.pem -text -noout +.RE +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-x509(1) ", " wolfssl-verify(1) +.SH NOTES +This command is only available when wolfSSL is built with filesystem +support (not WOLFCLU_NO_FILESYSTEM). +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-crl.1 b/manpages/wolfssl-crl.1 new file mode 100644 index 00000000..20a089a3 --- /dev/null +++ b/manpages/wolfssl-crl.1 @@ -0,0 +1,44 @@ +.\" Manpage for wolfssl crl. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl crl man page" +.SH NAME +crl \- parse and verify Certificate Revocation Lists +.SH SYNOPSIS +wolfssl crl [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-CAfile file] [-text] [-noout] +.SH DESCRIPTION +Reads a Certificate Revocation List (CRL), optionally verifies it against a +CA certificate, converts it between PEM and DER, and/or prints it. +.SH OPTIONS +-in file the file to read from. +.br +.LP +-out file output file to write to. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-CAfile file CA certificate used to verify the CRL. +.br +.LP +-text output human readable text of the CRL. +.br +.LP +-noout do not print the output. +.SH NOTES +Available only when wolfSSL is built with CRL support (HAVE_CRL) and +filesystem support. Human-readable printing additionally requires CRL +print support in wolfSSL. +.SH SEE ALSO +.BR wolfssl-verify(1) ", " wolfssl-x509(1) ", " wolfssl-ocsp(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_decrypt.1 b/manpages/wolfssl-decrypt.1 similarity index 69% rename from manpages/wolfCLU_decrypt.1 rename to manpages/wolfssl-decrypt.1 index 46107de1..caeda446 100644 --- a/manpages/wolfCLU_decrypt.1 +++ b/manpages/wolfssl-decrypt.1 @@ -1,12 +1,13 @@ .\" Manpage for wolfCLU decrypt. .\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl decrypt man page" +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl decrypt man page" .SH NAME decrypt \- cipher routines .SH SYNOPSIS wolfssl -decrypt <-algorithm> <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] .SH DESCRIPTION -This command allows data to be decrypted using ciphers and keys based on passwords if not explicitly provided +Decrypts a file or input data using a cipher and a password or key. The algorithm must match the one used for encryption. If using a password, the same password decrypts the file. For password-based decryption, the salt is automatically extracted from the encrypted file. For explicit keys and IVs, you must provide the same values used during encryption. For encryption, see +.B wolfssl-encrypt(1). .SH ALGORITHMS -aes-cbc-[ 128 | 192 | 256 ] @@ -64,11 +65,28 @@ This command allows data to be decrypted using ciphers and keys based on passwor algorithm key size. The argument must name a real .br file; use -key to pass a hex key on the command line. +.SH EXAMPLES +Decrypt a file with a password: +.RS +wolfssl decrypt -aes-cbc-256 -in myfile.enc -out myfile.txt -pwd mypassword +.RE +.LP +Decrypt with an explicit key (must match encryption): +.RS +wolfssl decrypt -aes-cbc-256 -in myfile.enc -out myfile.txt -key 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef0123456789abcdef +.RE +.LP +Decrypt from standard input: +.RS +cat encrypted.bin | wolfssl decrypt -aes-cbc-256 -in - -out decrypted.txt -pwd mypassword +.RE +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-enc(1) .SH BUGS No known bugs at this time. .SH AUTHOR wolfSSL, Inc. (info@wolfssl.com) .SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. +Copyright 2026 wolfSSL Inc. All rights reserved. .SH REPORTING BUGS Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dgst.1 b/manpages/wolfssl-dgst.1 new file mode 100644 index 00000000..7d493fac --- /dev/null +++ b/manpages/wolfssl-dgst.1 @@ -0,0 +1,54 @@ +.\" Manpage for wolfssl dgst. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dgst man page" +.SH NAME +dgst \- create and verify message digest signatures +.SH SYNOPSIS +wolfssl dgst [-digest] [-sign key | -verify key] [-signature file] [-inform PEM|DER] [-out file] +.SH DESCRIPTION +Signs a file or verifies a signature over a file using a chosen digest +algorithm. The data that was signed is given as the final argument. RSA +and ECC keys are supported. +.SH DIGEST ALGORITHMS +-md5 +.br +-sha +.br +-sha224 +.br +-sha256 +.br +-sha384 +.br +-sha512 +.SH OPTIONS +-sign key private key used to create the signature. +.br +.LP +-verify key key used to verify the signature. +.br +.LP +-signature file file containing the signature to verify. +.br +.LP +-inform PEM|DER input format of the key. +.br +.LP +-out file output file for the signature. +.SH EXAMPLES +Verify a signature over the file "test": +.br +wolfssl dgst -signature test.sig -verify key.pem test +.SH NOTES +Available only when wolfSSL is built with filesystem support. On wolfSSL +later than 5.9.1, MD5 is below the default minimum signature hash. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-sign_verify(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dhparam.1 b/manpages/wolfssl-dhparam.1 new file mode 100644 index 00000000..4a9cd586 --- /dev/null +++ b/manpages/wolfssl-dhparam.1 @@ -0,0 +1,38 @@ +.\" Manpage for wolfssl dhparam. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dhparam man page" +.SH NAME +dhparam \- Diffie-Hellman parameter and key generation +.SH SYNOPSIS +wolfssl dhparam [-in file] [-out file] [-genkey] [-check] [-noout] [numbits] +.SH DESCRIPTION +Generates Diffie-Hellman parameters and keys, or reads and displays +existing DH parameters. When generating, the parameter size in bits is +given as the final argument (for example 1024, 2048, or 4096). +.SH OPTIONS +-in file input file for parameters to read. +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-genkey generate a DH key using the parameter input. +.br +.LP +-check check that the parameters are valid. +.br +.LP +-noout do not print out the parameters. +.SH NOTES +Available only when wolfSSL is built with DH support (not NO_DH). +4096-bit parameters require wolfSSL built with HAVE_FFDHE_4096. +.SH SEE ALSO +.BR wolfssl-dsaparam(1) ", " wolfssl-ecparam(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dilithium.1 b/manpages/wolfssl-dilithium.1 new file mode 100644 index 00000000..eb0e51b4 --- /dev/null +++ b/manpages/wolfssl-dilithium.1 @@ -0,0 +1,2 @@ +.\" Alias page: dilithium sign/verify is documented in wolfssl-sign_verify(1). +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-dsaparam.1 b/manpages/wolfssl-dsaparam.1 new file mode 100644 index 00000000..1df97016 --- /dev/null +++ b/manpages/wolfssl-dsaparam.1 @@ -0,0 +1,34 @@ +.\" Manpage for wolfssl dsaparam. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dsaparam man page" +.SH NAME +dsaparam \- DSA parameter and key generation +.SH SYNOPSIS +wolfssl dsaparam [-in file] [-out file] [-genkey] [-noout] [numbits] +.SH DESCRIPTION +Generates DSA parameters and keys, or reads and displays existing DSA +parameters. When generating, the number of bits is given as the final +argument (for example 1024 or 2048). +.SH OPTIONS +-in file input file for parameters to read. +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-genkey generate a DSA key using the parameter input. +.br +.LP +-noout do not print out the parameters. +.SH NOTES +Available only when wolfSSL is built with DSA support (not NO_DSA). +.SH SEE ALSO +.BR wolfssl-dhparam(1) ", " wolfssl-ecparam(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ecc.1 b/manpages/wolfssl-ecc.1 new file mode 100644 index 00000000..abb35b5f --- /dev/null +++ b/manpages/wolfssl-ecc.1 @@ -0,0 +1,2 @@ +.\" Alias page: ecc sign/verify is documented in wolfssl-sign_verify(1). +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-ecparam.1 b/manpages/wolfssl-ecparam.1 new file mode 100644 index 00000000..c22fd99d --- /dev/null +++ b/manpages/wolfssl-ecparam.1 @@ -0,0 +1,42 @@ +.\" Manpage for wolfssl ecparam. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ecparam man page" +.SH NAME +ecparam \- EC parameter and key generation +.SH SYNOPSIS +wolfssl ecparam [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-genkey] [-name curve] [-text] +.SH DESCRIPTION +Generates elliptic curve keys and parameters, or reads and displays +existing EC parameters. +.SH OPTIONS +-in file input file to read parameters/key from (optional). +.br +.LP +-out file output file. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-genkey generate a new key. +.br +.LP +-name curve curve name, e.g. secp256r1 or secp384r1. The list of +.br + supported curve names is shown by "wolfssl ecparam -help". +.br +.LP +-text output a text representation. +.SH SEE ALSO +.BR wolfssl-dhparam(1) ", " wolfssl-dsaparam(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ed25519.1 b/manpages/wolfssl-ed25519.1 new file mode 100644 index 00000000..9ed66a8f --- /dev/null +++ b/manpages/wolfssl-ed25519.1 @@ -0,0 +1,2 @@ +.\" Alias page: ed25519 sign/verify is documented in wolfssl-sign_verify(1). +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-enc.1 b/manpages/wolfssl-enc.1 new file mode 100644 index 00000000..bfa58f1a --- /dev/null +++ b/manpages/wolfssl-enc.1 @@ -0,0 +1,92 @@ +.\" Manpage for wolfssl enc. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl enc man page" +.SH NAME +enc \- generic symmetric encryption and decryption +.SH SYNOPSIS +wolfssl enc <-algorithm> [-d] [-in file] [-out file] [-pwd password] [-pass source] [-k password] [-key hex] [-iv hex] [-inkey file] [-md digest] [-pbkdf2] [-base64] [-nosalt] [-p] +.SH DESCRIPTION +Encrypts or decrypts a file using a symmetric cipher. By default enc +encrypts; the -d flag selects decryption. This is the OpenSSL-style generic +cipher mode; the encrypt and decrypt commands are direction-fixed +equivalents. +.SH ALGORITHMS +-aes-cbc-[128|192|256] +.br + uses AES in CBC mode with the designated key size. +.br +-aes-ctr-[128|192|256] +.br + uses AES in CTR mode (requires WOLFSSL_AES_COUNTER). +.br +-3des-cbc-[56|112|168] +.br + uses 3DES (requires --enable-des3). +.br +-camellia-cbc-[128|192|256] +.br + uses Camellia (requires --enable-camellia). +.SH OPTIONS +-d decrypt the input (default is to encrypt). +.br +.LP +-in file input file to read from. +.br +.LP +-out file file to write to (default stdout). +.br +.LP +-pwd password password to derive the key from. +.br +.LP +-k password alternate option for password input. +.br +.LP +-pass source password source, e.g. pass:. +.br +.LP +-key hex explicit key as a hex string. Requires -iv; no +.br + salt-based derivation is performed. +.br +.LP +-iv hex initialization vector as a hex string. +.br +.LP +-inkey file read the key from a file. +.br +.LP +-md digest digest to use for key derivation, e.g. md5, sha256. +.br +.LP +-pbkdf2 use PBKDF2 for key derivation. +.br +.LP +-base64 base64-encode output (encrypt) or decode input (decrypt). +.br +.LP +-nosalt do not use a salt in key derivation. +.br +.LP +-p print debug information (key, IV, salt). +.SH EXAMPLES +Encrypt a file: +.br +wolfssl enc -aes-cbc-128 -pwd Thi$i$myPa$$w0rd -in plain.txt -out cipher.txt +.br +.LP +Decrypt it again: +.br +wolfssl enc -d -aes-cbc-128 -pwd Thi$i$myPa$$w0rd -in cipher.txt -out plain.txt +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH SEE ALSO +wolfssl-encrypt(1), wolfssl-decrypt(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_encrypt.1 b/manpages/wolfssl-encrypt.1 similarity index 70% rename from manpages/wolfCLU_encrypt.1 rename to manpages/wolfssl-encrypt.1 index 61ec23c4..c475ca86 100644 --- a/manpages/wolfCLU_encrypt.1 +++ b/manpages/wolfssl-encrypt.1 @@ -1,12 +1,13 @@ .\" Manpage for wolfssl encrypt. .\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl encrypt man page" +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl encrypt man page" .SH NAME encrypt \- cipher routines .SH SYNOPSIS wolfssl -encrypt <-algorithm> <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] .SH DESCRIPTION -This command allows data to be encrypted using ciphers and keys based on passwords if not explicitly provided +Encrypts a file or input data using a cipher and a password or key. By default, the password is used to derive an encryption key and initialization vector (IV) using salt-based key derivation. For advanced use, you can supply explicit keys and IVs. For decryption, see +.B wolfssl-decrypt(1). .SH ALGORITHMS -aes-cbc-[128|192|256] uses AES algorithm with designated key size. @@ -60,11 +61,28 @@ This command allows data to be encrypted using ciphers and keys based on passwor algorithm key size. The argument must name a real .br file; use -key to pass a hex key on the command line. +.SH EXAMPLES +Encrypt a file with a password: +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -pwd mypassword +.RE +.LP +Encrypt with an explicit key (advanced): +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -key 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef0123456789abcdef +.RE +.LP +Encrypt from standard input: +.RS +echo "secret data" | wolfssl encrypt -aes-cbc-256 -in - -out encrypted.bin -pwd mypassword +.RE +.SH SEE ALSO +.BR wolfssl-decrypt(1) ", " wolfssl-enc(1) .SH BUGS No known bugs at this time. .SH AUTHOR wolfSSL, Inc. (info@wolfssl.com) .SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. +Copyright 2026 wolfSSL Inc. All rights reserved. .SH REPORTING BUGS Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-genkey.1 b/manpages/wolfssl-genkey.1 new file mode 100644 index 00000000..9e259153 --- /dev/null +++ b/manpages/wolfssl-genkey.1 @@ -0,0 +1,87 @@ +.\" Manpage for wolfssl genkey. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl genkey man page" +.SH NAME +genkey \- generate cryptographic keys +.SH SYNOPSIS +wolfssl genkey [-size bits] [-out filename] [-outform PEM|DER|RAW] [-output PUB|PRIV|KEYPAIR] [-level N] [-height N] [-layer N] +.SH DESCRIPTION +Generates a key of the requested type and writes the public key, private +key, or both. The set of available key types depends on the wolfSSL +configure options. +.SH KEY TYPES +rsa +.br +ecc +.br +ed25519 +.br +dilithium (also ml-dsa) \- only if wolfSSL was built with Dilithium support +.br +xmss / xmssmt \- only if wolfSSL was built with XMSS support +.SH OPTIONS +-size bits key size in bits (for key types that take a size, +.br + e.g. rsa). +.br +.LP +-out filename base output filename. The suffixes .priv and .pub are +.br + added for the private and public key files. +.br +.LP +-outform PEM|DER|RAW output format. +.br +.LP +-output PUB|PRIV|KEYPAIR +.br + which keys to output. KEYPAIR writes both, PUB writes +.br + only the public key, PRIV only the private key. +.br +.LP +-level [2|3|5] security level for dilithium / ml-dsa keys. +.br +.LP +-height [10|16|20|40|60] +.br + tree height for xmss / xmssmt keys. +.br +.LP +-layer [2|3|4|6|8|12] number of layers for xmssmt keys. +.SH EXAMPLES +Generate a 2048-bit RSA key pair in PEM format (default): +.br +wolfssl genkey rsa -size 2048 -out mykey +.br +.LP +Generate a 2048-bit RSA key pair in DER format: +.br +wolfssl genkey rsa -size 2048 -out mykey -outform der -output KEYPAIR +.br +.LP +The command above outputs the files mykey.priv and mykey.pub. +.br +.LP +Generate a Dilithium key pair: +.br +wolfssl genkey dilithium -level 3 -out mykey -outform der -output KEYPAIR +.br +.LP +Generate an XMSS key pair: +.br +wolfssl genkey xmss -height 10 -out mykey -outform raw -output KEYPAIR +.SH NOTES +For XMSS/XMSS^MT the key file name encodes the parameters (for example +"XMSS-SHA2_10_256"); these parameters are determined from the file name +when signing. +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-sign_verify(1) ", " wolfssl-encrypt(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-hash.1 b/manpages/wolfssl-hash.1 new file mode 100644 index 00000000..7c1027af --- /dev/null +++ b/manpages/wolfssl-hash.1 @@ -0,0 +1,71 @@ +.\" Manpage for wolfssl command line utility hash. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl hash man page" +.SH NAME +hash \- hashing utility +.SH SYNOPSIS +wolfssl hash -in filename [-out filename] [-size size] +.br +wolfssl md5|sha256|sha384|sha512 filename [-out filename] +.SH DESCRIPTION +This command hashes the contents of an input file based on the chosen +algorithm. An input file is required; reading from standard input is +not currently supported. +The algorithm may be supplied as an argument to the hash command with the -in +flag, or one of the shortcut commands (md5, sha256, sha384, sha512) may be +used as a direct top-level command, which take the filename as a positional +argument (e.g. "wolfssl sha256 filename"). +.SH ALGORITHMS +md5 +.br +sha +.br +sha256 +.br +(NOTE: The following are only available if ./configure supports them) +.br +sha384 +.br +sha512 +.br +blake2b +.br +base64enc / base64dec (encode/decode, when coding support is enabled; +.br + base64enc additionally requires WOLFSSL_BASE64_ENCODE) +.SH SHORTCUT COMMANDS +The following may be used directly as the first argument to wolfssl as a +convenience. Note that these shortcut commands use a different syntax than +the generic "wolfssl hash" command - they take the filename as a positional +argument rather than with the -in flag: +.br +md5 filename \- create an MD5 hash +.br +sha256 filename \- create a SHA-256 hash +.br +sha384 filename \- create a SHA-384 hash +.br +sha512 filename \- create a SHA-512 hash +.br +.LP +All shortcut commands support the -out option to write the hash to a file. +.SH OPTIONS +-in filename the input file to hash (required). The file must exist; +.br + if it cannot be opened the command exits with an error. +.br +.LP +-out filename the output filename, if file does not exist, it will be created +.LP +-size size **Usuable only with Blake2b. Block size of the function. +** denotes only available for specific algorithm +.SH SEE ALSO +.BR wolfssl-md5(1) ", " wolfssl-sha256(1) ", " wolfssl-sha384(1) ", " wolfssl-sha512(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-md5.1 b/manpages/wolfssl-md5.1 new file mode 100644 index 00000000..76612dbc --- /dev/null +++ b/manpages/wolfssl-md5.1 @@ -0,0 +1,28 @@ +.\" Manpage for wolfssl md5. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl md5 man page" +.SH NAME +md5 \- compute and output MD5 message digest +.SH SYNOPSIS +wolfssl md5 filename [-out filename] +.SH DESCRIPTION +The md5 command is a shortcut for computing MD5 message digests. It is +equivalent to "wolfssl hash md5 -in filename". The filename argument is +required; reading from standard input is not currently supported. +.SH OPTIONS +-out filename the output filename. If not specified, the digest is +.br + written to standard output. +.SH NOTES +This is a convenience shortcut command. For more advanced hashing options +and other algorithms, see the hash(1) man page. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-sha256(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ocsp.1 b/manpages/wolfssl-ocsp.1 new file mode 100644 index 00000000..037b2f5f --- /dev/null +++ b/manpages/wolfssl-ocsp.1 @@ -0,0 +1,79 @@ +.\" Manpage for wolfssl ocsp. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ocsp man page" +.SH NAME +ocsp \- OCSP client and responder utility +.SH SYNOPSIS +wolfssl ocsp [client options] [responder options] +.SH DESCRIPTION +Acts as an OCSP client to check certificate revocation status, or as an +OCSP responder (when \-port is given) to serve status responses. +.SH GENERAL OPTIONS +-CAfile file trusted certificates file. +.br +.LP +-help print the ocsp help summary and exit. +.SH CLIENT OPTIONS +Client mode is entered by any of \-cert, \-url, or \-issuer, and requires +both \-cert and \-issuer to complete a check. +.LP +-cert file certificate to check (required for client mode). +.br +.LP +-issuer file issuer certificate (required for client mode). +.br +.LP +-url URL responder URL (overrides the AIA in the certificate). +.br +.LP +-no_nonce do not add an OCSP nonce to the request. +.SH RESPONDER OPTIONS +-port n port to run the responder on. +.br +.LP +-index file certificate status index file. +.br +.LP +-rsigner file responder certificate used to sign responses. +.br +.LP +-rkey file responder key used to sign responses. +.br +.LP +-CA file CA certificate. +.br +.LP +-scgi use the SCGI protocol (for a web server reverse proxy). +.SH EXAMPLES +Check a certificate's status against the responder named in its AIA: +.RS +wolfssl ocsp -cert server-cert.pem -issuer ca-cert.pem +.RE +.LP +Check a certificate against an explicit responder URL: +.RS +wolfssl ocsp -cert server-cert.pem -issuer ca-cert.pem -url http://ocsp.example.com +.RE +.LP +Run an OCSP responder on port 22221: +.RS +wolfssl ocsp -port 22221 -index index.txt -rsigner ocsp-cert.pem -rkey ocsp-key.pem -CA ca-cert.pem +.RE +.SH SEE ALSO +.BR wolfssl-verify(1) ", " wolfssl-crl(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with OCSP support (HAVE_OCSP and +HAVE_OCSP_RESPONDER). Exactly one mode must be selected: responder mode via +\-port, or client mode via \-cert/\-url/\-issuer (see CLIENT OPTIONS). +Selecting both, or neither, is an error. For OpenSSL compatibility the tool +accepts many additional ocsp flags (e.g. \-CApath, \-ignore_err, \-host, +\-path, \-serial, \-nonce, \-out, \-text), but these are not yet implemented +and currently return an error. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs12.1 b/manpages/wolfssl-pkcs12.1 new file mode 100644 index 00000000..f5a352a7 --- /dev/null +++ b/manpages/wolfssl-pkcs12.1 @@ -0,0 +1,40 @@ +.\" Manpage for wolfssl pkcs12. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs12 man page" +.SH NAME +pkcs12 \- parse PKCS#12 bundles +.SH SYNOPSIS +wolfssl pkcs12 [-in file] [-out file] [-passin source] [-nodes] [-nocerts] [-nokeys] +.SH DESCRIPTION +Parses a PKCS#12 bundle and extracts the certificates and private key it +contains. +.SH OPTIONS +-in file file input for the PKCS#12 bundle. +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-passin source source to read the import password from. +.br +.LP +-nodes do not encrypt the private key on output. +.br +.LP +-nocerts do not output certificates. +.br +.LP +-nokeys do not output keys. +.SH NOTES +Available only when wolfSSL is built with PKCS#12 support (HAVE_PKCS12) and +filesystem support. +.SH SEE ALSO +.BR wolfssl-pkcs8(1) ", " wolfssl-pkcs7(1) ", " wolfssl-pkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs7.1 b/manpages/wolfssl-pkcs7.1 new file mode 100644 index 00000000..7527493f --- /dev/null +++ b/manpages/wolfssl-pkcs7.1 @@ -0,0 +1,37 @@ +.\" Manpage for wolfssl pkcs7. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs7 man page" +.SH NAME +pkcs7 \- parse PKCS#7 files +.SH SYNOPSIS +wolfssl pkcs7 [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-print_certs] +.SH DESCRIPTION +Parses a PKCS#7 structure and extracts its contents, for example the +certificates it contains. +.SH OPTIONS +-in file file input for the PKCS#7 structure. +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-print_certs output the certificates contained in the structure. +.SH SEE ALSO +.BR wolfssl-pkcs12(1) ", " wolfssl-pkcs8(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with PKCS#7 support (HAVE_PKCS7) and +filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs8.1 b/manpages/wolfssl-pkcs8.1 new file mode 100644 index 00000000..be3bc3e3 --- /dev/null +++ b/manpages/wolfssl-pkcs8.1 @@ -0,0 +1,46 @@ +.\" Manpage for wolfssl pkcs8. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs8 man page" +.SH NAME +pkcs8 \- convert between PKCS#8 and traditional private key formats +.SH SYNOPSIS +wolfssl pkcs8 [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-passin password] [-traditional] [-topk8] [-nocrypt] +.SH DESCRIPTION +Converts private keys between PKCS#8 and traditional (PKCS#1) formats. +.SH OPTIONS +-in file file input for the key. +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-passin password password for encrypted input keys. +.br +.LP +-traditional output the key in traditional (PKCS#1) format. +.br +.LP +-topk8 output the key in PKCS#8 format. +.br +.LP +-nocrypt output an unencrypted private key. +.SH SEE ALSO +.BR wolfssl-pkcs7(1) ", " wolfssl-pkcs12(1) ", " wolfssl-pkey(1) ", " wolfssl-genkey(1) +.SH NOTES +Available only when wolfSSL is built with PKCS#8 support (not NO_PKCS8) and +filesystem support. Encrypting PKCS#8 keys on output is not yet supported; +use -nocrypt when writing PKCS#8. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkey.1 b/manpages/wolfssl-pkey.1 new file mode 100644 index 00000000..a0d98a65 --- /dev/null +++ b/manpages/wolfssl-pkey.1 @@ -0,0 +1,39 @@ +.\" Manpage for wolfssl pkey. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkey man page" +.SH NAME +pkey \- public and private key processing +.SH SYNOPSIS +wolfssl pkey [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-pubin] [-pubout] +.SH DESCRIPTION +Reads a public or private key, converts it between PEM and DER, and +optionally outputs only the public portion. +.SH OPTIONS +-in file input file for the key to read. +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-pubin expect a public key as input. +.br +.LP +-pubout output the public key. +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-rsa(1) ", " wolfssl-pkcs8(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-rand.1 b/manpages/wolfssl-rand.1 new file mode 100644 index 00000000..16234af6 --- /dev/null +++ b/manpages/wolfssl-rand.1 @@ -0,0 +1,31 @@ +.\" Manpage for wolfssl rand. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl rand man page" +.SH NAME +rand \- generate random data +.SH SYNOPSIS +wolfssl rand [-out file] [-base64] [-hex] +.SH DESCRIPTION +Generates the requested number of pseudorandom bytes and writes them to a +file or to standard output. +.SH OPTIONS +-out file file to output data to (default stdout). +.br +.LP +-base64 output the result in base64 encoding. +.br +.LP +-hex output the result in hex encoding. +.SH NOTES +The number of bytes to generate is given as the final argument. Available +only when wolfSSL is built with an RNG (not WC_NO_RNG). +.SH SEE ALSO +.BR wolfssl-base64(1) ", " wolfssl-enc(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-req.1 b/manpages/wolfssl-req.1 new file mode 100644 index 00000000..071e9d97 --- /dev/null +++ b/manpages/wolfssl-req.1 @@ -0,0 +1,92 @@ +.\" Manpage for wolfssl req. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl req man page" +.SH NAME +req \- generate certificate requests and self-signed certificates +.SH SYNOPSIS +wolfssl req [-in file] [-out file] [-key file] [-newkey type:bits] [-keyout file] [-inform PEM|DER] [-outform PEM|DER] [-config file] [-days n] [-x509] [-subj name] [-extensions section] [-nodes] [-verify] [-text] [-noout] +.SH DESCRIPTION +Creates a PKCS#10 certificate signing request (CSR), or with \-x509 a +self-signed certificate. The signing key may be supplied with \-key or +generated on the fly with \-newkey. +.SH OPTIONS +-in file input file to read from. +.br +.LP +-out file file to write to (default stdout). +.br +.LP +-key file private key used to sign the certificate request. +.br +.LP +-newkey type:bits generate the private key to use with the request. +.br + Only RSA is supported, e.g. rsa:2048. To use an ECC +.br + key, generate it first with the ecparam command. +.br +.LP +-keyout file file to output the generated key to. +.br +.LP +-inform PEM|DER format for -in. +.br +.LP +-outform PEM|DER format for -out. +.br +.LP +-config file file to parse for certificate configuration. +.br +.LP +-days n number of days the certificate should be valid for. +.br +.LP +-x509 generate a self-signed certificate instead of a CSR. +.br +.LP +-subj name subject name, e.g. +.br + O=wolfSSL/C=US/ST=WA/L=Seattle/CN=wolfSSL/OU=org-unit. +.br +.LP +-extensions section section of the config file to read extensions from. +.br +.LP +-nodes do not encrypt the private key on output. +.br +.LP +-verify check the signature on the request. +.br +.LP +-text output human readable text of the request. +.br +.LP +-noout do not print the generated results. +.SH EXAMPLES +Create a certificate signing request (CSR) with a new key: +.RS +wolfssl req -new -newkey rsa:2048 -keyout mykey.pem -out mycsr.pem -subj "/C=US/ST=WA/L=Seattle/O=MyCompany/CN=example.com" +.RE +.LP +Create a self-signed certificate valid for 365 days: +.RS +wolfssl req -new -x509 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem -days 365 -subj "/C=US/O=Test/CN=localhost" +.RE +.LP +View a CSR in human-readable format: +.RS +wolfssl req -in mycsr.pem -text -noout +.RE +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-ca(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with certificate request support +(WOLFSSL_CERT_REQ) and filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-rsa.1 b/manpages/wolfssl-rsa.1 new file mode 100644 index 00000000..c229228a --- /dev/null +++ b/manpages/wolfssl-rsa.1 @@ -0,0 +1,53 @@ +.\" Manpage for wolfssl rsa. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl rsa man page" +.SH NAME +rsa \- RSA key processing +.SH SYNOPSIS +wolfssl rsa [-in file] [-inform PEM|DER] [-out file] [-outform PEM|DER] [-passin password] [-pubin] [-pubout] [-RSAPublicKey_in] [-noout] [-modulus] +.SH DESCRIPTION +Reads an RSA key, converts it between PEM and DER, and prints selected +key information. This is the RSA key-processing command; for legacy RSA +signing and verification see the sign/verify documentation (wolfssl -rsa +-sign / -verify). +.SH OPTIONS +-in file input file for the key to read. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-out file file to write the result to (default stdout). +.br +.LP +-outform PEM|DER output format. +.br +.LP +-passin password password for PEM-encrypted input files. +.br +.LP +-pubin expect a public key as input. +.br +.LP +-pubout output a public key. +.br +.LP +-RSAPublicKey_in expect an RSAPublicKey-format public key as input. +.br +.LP +-noout do not print the key. +.br +.LP +-modulus print out the RSA modulus (n). +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-pkey(1) ", " wolfssl-sign_verify(1) ", " wolfssl-dgst(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-s_client.1 b/manpages/wolfssl-s_client.1 new file mode 100644 index 00000000..45dab2a0 --- /dev/null +++ b/manpages/wolfssl-s_client.1 @@ -0,0 +1,67 @@ +.\" Manpage for wolfssl s_client. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl s_client man page" +.SH NAME +s_client \- basic TLS client for testing connections +.SH SYNOPSIS +wolfssl s_client -connect : [-starttls proto] [-CAfile file] [-verify_return_error] [-disable_stdin_check] [-noservername] [-help] +.SH DESCRIPTION +Opens a TLS connection to a server for testing. Server Name Indication is +sent by default. Certificate verification is disabled by default and can be +enabled with -verify_return_error. +.SH OPTIONS +-connect host:port address and port to connect to. IPv6 addresses use +.br + bracket notation, e.g. -connect '[::1]:11111'. +.br +.LP +-starttls proto use STARTTLS for the named protocol, e.g. smtp. +.br +.LP +-CAfile file CA certificate file to verify the server against. +.br +.LP +-verify_return_error close the connection on a verification error. +.br +.LP +-disable_stdin_check do not wait for or read input on stdin; useful when +.br + scripting the client. +.br +.LP +-noservername do not send Server Name Indication. +.br +.LP +-help, -h print the s_client help summary and exit. +.SH EXAMPLES +Connect to a server without certificate verification (testing only): +.RS +wolfssl s_client -connect example.com:443 +.RE +.LP +Connect and verify the server's certificate: +.RS +wolfssl s_client -connect example.com:443 -CAfile ca-cert.pem -verify_return_error +.RE +.LP +Connect to an SMTP server using STARTTLS: +.RS +wolfssl s_client -connect mail.example.com:25 -starttls smtp +.RE +.SH SEE ALSO +.BR wolfssl-s_server(1) ", " wolfssl-verify(1) ", " wolfssl-ocsp(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.LP +The client negotiates the highest TLS version both peers support. CRL +checking is not performed. The server certificate is only verified when +\-verify_return_error is given; without it the connection proceeds +unverified (with a warning) even if \-CAfile is supplied. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-s_server.1 b/manpages/wolfssl-s_server.1 new file mode 100644 index 00000000..536b98be --- /dev/null +++ b/manpages/wolfssl-s_server.1 @@ -0,0 +1,69 @@ +.\" Manpage for wolfssl s_server. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl s_server man page" +.SH NAME +s_server \- basic TLS server for testing connections +.SH SYNOPSIS +wolfssl s_server -port -cert -key [-CAfile file] [-noVerify] [-version n] [-naccept n] [-www] [-readyFile file] [-help] +.SH DESCRIPTION +Runs a simple TLS server for testing connections. Supply a certificate and +key (\-cert and \-key, PEM only). By default the server accepts one +connection and then exits; use \-naccept to change this. +.SH OPTIONS +-port n port to listen on. +.br +.LP +-cert file server certificate (PEM only). +.br +.LP +-key file server private key (PEM only). +.br +.LP +-CAfile file CA certificate file (PEM only). +.br +.LP +-noVerify disable the client certificate check. +.br +.LP +-version n SSL/TLS version [0-4], SSLv3(0) through TLS1.3(4). +.br +.LP +-naccept n number of connections to accept (default 1). +.br +.LP +-www respond in HTML format. +.br +.LP +-readyFile file write a file once the server is listening, so a script +.br + can wait for it before connecting. +.br +.LP +-help, -h print the s_server help summary and exit. +.SH EXAMPLES +Start a basic TLS server on port 443: +.RS +wolfssl s_server -port 443 -cert server-cert.pem -key server-key.pem +.RE +.LP +Start a TLS server that accepts multiple connections: +.RS +wolfssl s_server -port 8443 -cert server-cert.pem -key server-key.pem -naccept 0 +.RE +.LP +Test with s_client in another terminal: +.RS +wolfssl s_client -connect localhost:8443 +.RE +.SH SEE ALSO +.BR wolfssl-s_client(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-sha256.1 b/manpages/wolfssl-sha256.1 new file mode 100644 index 00000000..23d38ad3 --- /dev/null +++ b/manpages/wolfssl-sha256.1 @@ -0,0 +1,28 @@ +.\" Manpage for wolfssl sha256. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha256 man page" +.SH NAME +sha256 \- compute and output SHA-256 message digest +.SH SYNOPSIS +wolfssl sha256 filename [-out filename] +.SH DESCRIPTION +The sha256 command is a shortcut for computing SHA-256 message digests. It is +equivalent to "wolfssl hash sha256 -in filename". The filename argument is +required; reading from standard input is not currently supported. +.SH OPTIONS +-out filename the output filename. If not specified, the digest is +.br + written to standard output. +.SH NOTES +This is a convenience shortcut command. For more advanced hashing options +and other algorithms, see the hash(1) man page. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-md5(1) ", " wolfssl-sha384(1) ", " wolfssl-sha512(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-sha384.1 b/manpages/wolfssl-sha384.1 new file mode 100644 index 00000000..8d4c9834 --- /dev/null +++ b/manpages/wolfssl-sha384.1 @@ -0,0 +1,28 @@ +.\" Manpage for wolfssl sha384. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha384 man page" +.SH NAME +sha384 \- compute and output SHA-384 message digest +.SH SYNOPSIS +wolfssl sha384 filename [-out filename] +.SH DESCRIPTION +The sha384 command is a shortcut for computing SHA-384 message digests. It is +equivalent to "wolfssl hash sha384 -in filename". The filename argument is +required; reading from standard input is not currently supported. +.SH OPTIONS +-out filename the output filename. If not specified, the digest is +.br + written to standard output. +.SH NOTES +This is a convenience shortcut command. For more advanced hashing options +and other algorithms, see the hash(1) man page. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-md5(1) ", " wolfssl-sha256(1) ", " wolfssl-sha512(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-sha512.1 b/manpages/wolfssl-sha512.1 new file mode 100644 index 00000000..31e0cc22 --- /dev/null +++ b/manpages/wolfssl-sha512.1 @@ -0,0 +1,28 @@ +.\" Manpage for wolfssl sha512. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha512 man page" +.SH NAME +sha512 \- compute and output SHA-512 message digest +.SH SYNOPSIS +wolfssl sha512 filename [-out filename] +.SH DESCRIPTION +The sha512 command is a shortcut for computing SHA-512 message digests. It is +equivalent to "wolfssl hash sha512 -in filename". The filename argument is +required; reading from standard input is not currently supported. +.SH OPTIONS +-out filename the output filename. If not specified, the digest is +.br + written to standard output. +.SH NOTES +This is a convenience shortcut command. For more advanced hashing options +and other algorithms, see the hash(1) man page. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-md5(1) ", " wolfssl-sha256(1) ", " wolfssl-sha384(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-sign_verify.1 b/manpages/wolfssl-sign_verify.1 new file mode 100644 index 00000000..c1859172 --- /dev/null +++ b/manpages/wolfssl-sign_verify.1 @@ -0,0 +1,79 @@ +.\" Manpage for wolfssl sign/verify (rsa, ecc, ed25519, dilithium, xmss, xmssmt). +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sign/verify man page" +.SH NAME +sign, verify \- raw public-key signing and signature verification +.SH SYNOPSIS +wolfssl -sign -inkey -in -out +.br +wolfssl -verify -inkey -sigfile -in [-pubin] +.SH DESCRIPTION +Creates or verifies a raw public-key signature. The keytype is one of the +supported algorithms below. These are the per-algorithm sign/verify modes; +for digest-based signing see dgst, and for RSA key conversion see the rsa +command. +.SH KEY TYPES +-rsa Legacy RSA signing and verification. +.br +-ecc ECC signing and verification. +.br +-ed25519 Ed25519 signing and verification (requires HAVE_ED25519). +.br +-dilithium Dilithium (ML-DSA) signing and verification (requires HAVE_DILITHIUM). +.br +-xmss XMSS signing and verification (requires WOLFSSL_HAVE_XMSS). +.br +-xmssmt XMSS^MT signing and verification (requires WOLFSSL_HAVE_XMSS). +.SH OPTIONS +-sign create a signature. +.br +.LP +-verify verify a signature. +.br +.LP +-inkey file key to use. A private key for signing; for verify this +.br + may be a private or public key (use -pubin for a public +.br + key). +.br +.LP +-in file input file: the data to sign, or for verify the +.br + original data. +.br +.LP +-out file output file for the signature when signing. +.br +.LP +-sigfile file signature file to check when verifying. +.br +.LP +-pubin treat the key supplied with -inkey as a public key. +.SH EXAMPLES +Sign a file with an RSA private key: +.br +wolfssl -rsa -sign -inkey priv.pem -in message.txt -out message.sig +.br +.LP +Verify with an RSA public key: +.br +wolfssl -rsa -verify -inkey pub.pem -sigfile message.sig -in message.txt -pubin +.br +.LP +Verify with an ECC public key: +.br +wolfssl -ecc -verify -inkey pub.pem -sigfile message.sig -in message.txt -pubin +.SH NOTES +Available only when wolfSSL is built with filesystem support. The set of +usable key types depends on the wolfSSL configure options. +.SH SEE ALSO +.BR wolfssl-dgst(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-verify.1 b/manpages/wolfssl-verify.1 new file mode 100644 index 00000000..26359ab0 --- /dev/null +++ b/manpages/wolfssl-verify.1 @@ -0,0 +1,54 @@ +.\" Manpage for wolfssl verify. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl verify man page" +.SH NAME +verify \- verify an X.509 certificate chain +.SH SYNOPSIS +wolfssl verify -CAfile [-untrusted ] [-crl_check] [-partial_chain] +.SH DESCRIPTION +Verifies an X.509 certificate against a trusted CA certificate, optionally +building the chain with an intermediate certificate and checking +revocation. +.SH OPTIONS +-CAfile file trusted root CA certificate to verify against. +.br +.LP +-untrusted file intermediate certificate file. Only one intermediate +.br + certificate may be loaded. +.br +.LP +-crl_check enable CRL checking. Requires wolfSSL built with CRL +.br + support (HAVE_CRL). +.br +.LP +-partial_chain allow verification to succeed with a partial chain. +.SH EXAMPLES +Verify a certificate against a trusted root CA: +.RS +wolfssl verify -CAfile ca-cert.pem server-cert.pem +.RE +.LP +Verify a certificate with an intermediate CA: +.RS +wolfssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem server-cert.pem +.RE +.LP +Verify a certificate and check the CRL: +.RS +wolfssl verify -CAfile ca-cert.pem -crl_check server-cert.pem +.RE +.SH SEE ALSO +.BR wolfssl-x509(1) ", " wolfssl-crl(1) +.SH NOTES +The certificate to verify is given as the final argument. Available only +when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-version.1 b/manpages/wolfssl-version.1 new file mode 100644 index 00000000..cb2c1f78 --- /dev/null +++ b/manpages/wolfssl-version.1 @@ -0,0 +1,20 @@ +.\" Manpage for wolfssl version. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl version man page" +.SH NAME +version \- display wolfCLU and wolfSSL version information +.SH SYNOPSIS +wolfssl version +.SH DESCRIPTION +Prints the version information for both the wolfCLU command-line utility and +the underlying wolfSSL library it is linked against. +.SH NOTES +This is a simple informational command that takes no arguments or options. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-x509.1 b/manpages/wolfssl-x509.1 new file mode 100644 index 00000000..8b762496 --- /dev/null +++ b/manpages/wolfssl-x509.1 @@ -0,0 +1,100 @@ +.\" Manpage for wolfssl x509. +.\" Contact info@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl x509 man page" +.SH NAME +x509 \- X.509 certificate processing and conversion +.SH SYNOPSIS +wolfssl x509 [-inform PEM|DER] [-in file] [-outform PEM|DER] [-out file] [-req] [-signkey file] [-extfile file] [-extensions section] [-noout] [-text] [-subject] [-issuer] [-serial] [-dates] [-email] [-fingerprint] [-purpose] [-hash] [-modulus] [-pubkey] +.SH DESCRIPTION +Reads an X.509 certificate and converts it between PEM and DER formats +and/or prints selected fields. By default the (re-encoded) certificate is +written to the output. +.SH OPTIONS +-in file the certificate file to read from. +.br +.LP +-out file output file to write to. +.br +.LP +-inform PEM|DER input format of the certificate. +.br +.LP +-outform PEM|DER output format of the certificate. +.br +.LP +-req treat the input file as a CSR. +.br +.LP +-signkey file key used for signing. +.br +.LP +-extfile file configuration file for extensions. +.br +.LP +-extensions section section of the config file to use. +.br +.LP +-noout do not output the certificate. +.br +.LP +-text print human readable text of the certificate. +.br +.LP +-subject print out the subject name. +.br +.LP +-issuer print out the issuer name. +.br +.LP +-serial print out the serial number in hex. +.br +.LP +-dates print out the validity dates of the certificate. +.br +.LP +-email print out the subject's email address. +.br +.LP +-fingerprint print out the hash of the certificate in DER form. +.br +.LP +-purpose print out the certificate's purpose. +.br +.LP +-hash print out the hash of the certificate subject name. +.br +.LP +-modulus print out the RSA key modulus. +.br +.LP +-pubkey print out the public key. +.SH EXAMPLES +View certificate details in human-readable format: +.RS +wolfssl x509 -in mycert.pem -text -noout +.RE +.LP +Check when a certificate expires: +.RS +wolfssl x509 -in mycert.pem -dates -noout +.RE +.LP +Extract the public key from a certificate: +.RS +wolfssl x509 -in mycert.pem -pubkey -noout > pubkey.pem +.RE +.LP +Convert a PEM certificate to DER: +.RS +wolfssl x509 -inform pem -in certs/ca-cert.pem -outform der -out certs/ca-cert.der +.RE +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-verify(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (info@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-xmss.1 b/manpages/wolfssl-xmss.1 new file mode 100644 index 00000000..4760e28e --- /dev/null +++ b/manpages/wolfssl-xmss.1 @@ -0,0 +1,2 @@ +.\" Alias page: xmss sign/verify is documented in wolfssl-sign_verify(1). +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-xmssmt.1 b/manpages/wolfssl-xmssmt.1 new file mode 100644 index 00000000..aa9f8798 --- /dev/null +++ b/manpages/wolfssl-xmssmt.1 @@ -0,0 +1,2 @@ +.\" Alias page: xmssmt sign/verify is documented in wolfssl-sign_verify(1). +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl.1 b/manpages/wolfssl.1 index 6671276c..7bfb2db4 100644 --- a/manpages/wolfssl.1 +++ b/manpages/wolfssl.1 @@ -1,35 +1,146 @@ .\" Manpage for wolfssl command line utility main options. .\" Contact support@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl man page" +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl man page" .SH NAME -wolfssl \- wolfSSL Command Line Utility. +wolfssl \- wolfSSL Command Line Utility. .SH SYNOPSIS wolfssl COMMAND [OPTIONS]... [ARGUMENTS]... .SH DESCRIPTION The wolfssl program is a command line tool for using various cryptographic functions of wolfSSL's wolfCrypt cryptography library. -wolfSSL supports industry standards up to the current TLSv1.2 and DTLSv1.2 and offers a simple API for ease of use. Which can be utilized for: - \- Encryption and Decryption with Ciphers +wolfSSL supports industry standards up to the current TLSv1.3 and DTLSv1.3 and offers a simple API for ease of use. It can be utilized for: + \- Encryption and decryption with ciphers \- Hashing functionality \- Benchmark utilities - \- x509 conversion from PEM to DER or DER to PEM - With more features to come. + \- X.509 certificate processing and conversion + \- Certificate requests and signing (CA) + \- Key generation and key format conversion + \- Signing and signature verification + \- TLS client/server testing +.SH QUICK START +Here are three common tasks to get started: +.TP +.B Encrypt a file with a password +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -pwd mypassword +.RE +.TP +.B Generate a 2048-bit RSA key pair +.RS +wolfssl genkey rsa -size 2048 -out mykey +.br +(writes the private key to mykey.priv and the public key to mykey.pub) +.RE +.TP +.B Create a certificate for testing +.RS +wolfssl req -new -newkey rsa:2048 -x509 -days 365 -out cert.pem +.RE +.TP +To explore more, see the COMMAND SUMMARY below, or run: +.RS +wolfssl -h +.RE .SH COMMAND SUMMARY -wolfSSL offers many different commands all of which have a vast variety of options and arguments. -This utility is to be used with wolfSSL installed and can use different function based on different ./configure options +wolfSSL offers many different commands, all of which have a variety of options and arguments. +This utility is to be used with wolfSSL installed and the available commands depend on the wolfSSL ./configure options. +Most commands have their own man page (named wolfssl-) with full details. +Some are grouped: bench is documented in wolfssl-bench, the hashing shortcuts +md5/sha256/sha384/sha512 in wolfssl-hash, and the raw sign/verify key types in +wolfssl-sign_verify; version and help have no separate page. -LIST - -encrypt \- encrypt a file or basic input using various algorithms and options - -decrypt \- decrypt a file or basic input using various algorithms and options - -hash \- hash a file or basic input using a variety of hashing algorithms - -bench \- tests the processing speed of the ciphersuites - -x509 \- converts an existing PEM formatted certificate to DER format or vise versa +Certificates and CAs + ca sign certificates from a CSR or self-sign + x509 X.509 certificate processing and conversion + req generate certificate requests / self-signed certs + verify verify an X.509 certificate chain + crl parse and verify Certificate Revocation Lists + +Keys + genkey generate cryptographic keys + pkey public/private key processing + rsa RSA key processing + ecparam EC parameter and key generation + dsaparam DSA parameter and key generation + dhparam Diffie-Hellman parameter and key generation + +PKCS and signing + pkcs7 parse PKCS#7 files + pkcs8 PKCS#8 private key conversion + pkcs12 parse PKCS#12 bundles + dgst create/verify message digest signatures + ecc/ed25519/dilithium/xmss/xmssmt raw sign and verify (see sign/verify; -rsa also) + +Symmetric crypto and encoding + encrypt encrypt a file or input + decrypt decrypt a file or input + enc generic encrypt/decrypt (OpenSSL-style) + base64 base64 encode/decode + rand generate random data + +Hashing + hash hash a file or input + md5 create an MD5 hash + sha256 create a SHA-256 hash + sha384 create a SHA-384 hash + sha512 create a SHA-512 hash + +Benchmark and TLS + bench benchmark the algorithms + s_client basic TLS client for testing + s_server basic TLS server for testing + ocsp OCSP client and responder (if supported) + +Misc + version print wolfCLU/wolfSSL version + help print the help menu .SH OPTIONS -Acceptable options can be brought up using either "-help" or through the man pages of the commands +Acceptable options can be brought up using either "-help" / "-h" or through the man pages of the individual commands. +.SH GLOSSARY +Common terms you'll see in wolfssl and cryptography: +.TP +.B PEM / DER +File formats for keys and certificates. PEM is text-based (starts with "-----BEGIN..."), DER is binary. Most commands default to PEM; use -inform DER if your file is binary. +.TP +.B CSR +Certificate Signing Request. A file you send to a Certificate Authority to request a signed certificate. Create one with +.B wolfssl-req(1). +.TP +.B CA +Certificate Authority. An entity that signs certificates, confirming they are valid. See +.B wolfssl-ca(1) +to sign requests yourself. +.TP +.B CRL / OCSP +Certificate Revocation List / Online Certificate Status Protocol. Ways to check if a certificate has been cancelled. See +.B wolfssl-crl(1) +and +.B wolfssl-ocsp(1). +.TP +.B PKCS#1, PKCS#8, PKCS#12 +Key/certificate container formats. PKCS#8 is commonly used for private keys; PKCS#12 bundles a key and certificate together. See +.B wolfssl-pkcs8(1) +and +.B wolfssl-pkcs12(1). +.TP +.B Digest / Hash +A fingerprint of data (e.g., MD5, SHA-256). Cannot be reversed to get the original data. Commonly used to verify file integrity or as part of signing. See +.B wolfssl-hash(1) +and +.B wolfssl-dgst(1). +.TP +.B Salt +Random data added to a password before hashing, making dictionary attacks harder. Used in encryption with passwords. +.TP +.B Key Derivation +Converting a password into a cryptographic key suitable for encryption. See +.B wolfssl-enc(1). +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-decrypt(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-x509(1) ", " wolfssl-verify(1) .SH BUGS No known bugs at this time. .SH AUTHOR wolfSSL, Inc. (info@wolfssl.com) .SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. +Copyright 2026 wolfSSL Inc. All rights reserved. .SH REPORTING BUGS Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl.1.gz b/manpages/wolfssl.1.gz deleted file mode 100644 index 6f6c181e..00000000 Binary files a/manpages/wolfssl.1.gz and /dev/null differ