From c29c8d73632bee9b6aeea0215d73dc18fbcc4526 Mon Sep 17 00:00:00 2001 From: Emma Stensland Date: Thu, 11 Jun 2026 16:20:43 -0600 Subject: [PATCH] add manpages for wolfclu tools --- .gitignore | 1 + Makefile.am | 80 ++++++++++++++++- README.md | 40 ++++++++- configure.ac | 10 +++ manpages/gzip_all.sh | 5 -- manpages/manual.txt | 140 ++++-------------------------- manpages/wolfCLU_benchmark.1 | 34 -------- manpages/wolfCLU_benchmark.1.gz | Bin 506 -> 0 bytes manpages/wolfCLU_decrypt.1 | 74 ---------------- manpages/wolfCLU_decrypt.1.gz | Bin 874 -> 0 bytes manpages/wolfCLU_encrypt.1 | 70 --------------- manpages/wolfCLU_encrypt.1.gz | Bin 843 -> 0 bytes manpages/wolfCLU_hash.1 | 37 -------- manpages/wolfCLU_hash.1.gz | Bin 662 -> 0 bytes manpages/wolfssl-base64.1 | 31 +++++++ manpages/wolfssl-bench.1 | 64 ++++++++++++++ manpages/wolfssl-ca.1 | 97 +++++++++++++++++++++ manpages/wolfssl-crl.1 | 46 ++++++++++ manpages/wolfssl-decrypt.1 | 90 +++++++++++++++++++ manpages/wolfssl-dgst.1 | 62 +++++++++++++ manpages/wolfssl-dhparam.1 | 47 ++++++++++ manpages/wolfssl-dilithium.1 | 5 ++ manpages/wolfssl-dsaparam.1 | 39 +++++++++ manpages/wolfssl-ecc.1 | 5 ++ manpages/wolfssl-ecparam.1 | 50 +++++++++++ manpages/wolfssl-ed25519.1 | 5 ++ manpages/wolfssl-enc.1 | 92 ++++++++++++++++++++ manpages/wolfssl-encrypt.1 | 88 +++++++++++++++++++ manpages/wolfssl-genkey.1 | 103 ++++++++++++++++++++++ manpages/wolfssl-hash.1 | 72 ++++++++++++++++ manpages/wolfssl-md5.1 | 5 ++ manpages/wolfssl-ocsp.1 | 84 ++++++++++++++++++ manpages/wolfssl-pkcs12.1 | 49 +++++++++++ manpages/wolfssl-pkcs7.1 | 40 +++++++++ manpages/wolfssl-pkcs8.1 | 51 +++++++++++ manpages/wolfssl-pkey.1 | 45 ++++++++++ manpages/wolfssl-rand.1 | 33 +++++++ manpages/wolfssl-req.1 | 113 ++++++++++++++++++++++++ manpages/wolfssl-rsa.1 | 61 +++++++++++++ manpages/wolfssl-s_client.1 | 71 +++++++++++++++ manpages/wolfssl-s_server.1 | 71 +++++++++++++++ manpages/wolfssl-sha256.1 | 5 ++ manpages/wolfssl-sha384.1 | 5 ++ manpages/wolfssl-sha512.1 | 5 ++ manpages/wolfssl-sign_verify.1 | 88 +++++++++++++++++++ manpages/wolfssl-verify.1 | 67 +++++++++++++++ manpages/wolfssl-version.1 | 27 ++++++ manpages/wolfssl-x509.1 | 130 ++++++++++++++++++++++++++++ manpages/wolfssl-xmss.1 | 5 ++ manpages/wolfssl-xmssmt.1 | 5 ++ manpages/wolfssl.1 | 148 ++++++++++++++++++++++++++++---- manpages/wolfssl.1.gz | Bin 864 -> 0 bytes 52 files changed, 2129 insertions(+), 366 deletions(-) delete mode 100755 manpages/gzip_all.sh delete mode 100644 manpages/wolfCLU_benchmark.1 delete mode 100644 manpages/wolfCLU_benchmark.1.gz delete mode 100644 manpages/wolfCLU_decrypt.1 delete mode 100644 manpages/wolfCLU_decrypt.1.gz delete mode 100644 manpages/wolfCLU_encrypt.1 delete mode 100644 manpages/wolfCLU_encrypt.1.gz delete mode 100644 manpages/wolfCLU_hash.1 delete mode 100644 manpages/wolfCLU_hash.1.gz create mode 100644 manpages/wolfssl-base64.1 create mode 100644 manpages/wolfssl-bench.1 create mode 100644 manpages/wolfssl-ca.1 create mode 100644 manpages/wolfssl-crl.1 create mode 100644 manpages/wolfssl-decrypt.1 create mode 100644 manpages/wolfssl-dgst.1 create mode 100644 manpages/wolfssl-dhparam.1 create mode 100644 manpages/wolfssl-dilithium.1 create mode 100644 manpages/wolfssl-dsaparam.1 create mode 100644 manpages/wolfssl-ecc.1 create mode 100644 manpages/wolfssl-ecparam.1 create mode 100644 manpages/wolfssl-ed25519.1 create mode 100644 manpages/wolfssl-enc.1 create mode 100644 manpages/wolfssl-encrypt.1 create mode 100644 manpages/wolfssl-genkey.1 create mode 100644 manpages/wolfssl-hash.1 create mode 100644 manpages/wolfssl-md5.1 create mode 100644 manpages/wolfssl-ocsp.1 create mode 100644 manpages/wolfssl-pkcs12.1 create mode 100644 manpages/wolfssl-pkcs7.1 create mode 100644 manpages/wolfssl-pkcs8.1 create mode 100644 manpages/wolfssl-pkey.1 create mode 100644 manpages/wolfssl-rand.1 create mode 100644 manpages/wolfssl-req.1 create mode 100644 manpages/wolfssl-rsa.1 create mode 100644 manpages/wolfssl-s_client.1 create mode 100644 manpages/wolfssl-s_server.1 create mode 100644 manpages/wolfssl-sha256.1 create mode 100644 manpages/wolfssl-sha384.1 create mode 100644 manpages/wolfssl-sha512.1 create mode 100644 manpages/wolfssl-sign_verify.1 create mode 100644 manpages/wolfssl-verify.1 create mode 100644 manpages/wolfssl-version.1 create mode 100644 manpages/wolfssl-x509.1 create mode 100644 manpages/wolfssl-xmss.1 create mode 100644 manpages/wolfssl-xmssmt.1 delete mode 100644 manpages/wolfssl.1.gz diff --git a/.gitignore b/.gitignore index ba9c8551..33595f5b 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ CLAUDE.md /index.txt /serial-file-test /rand-file-test +manpages/*.1.gz diff --git a/Makefile.am b/Makefile.am index 65832320..6ef17b86 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,11 +44,48 @@ EXTRA_DIST+= wolfclu.sln EXTRA_DIST+= wolfCLU.vcxproj EXTRA_DIST+= wolfCLU.vcxproj.filters -man_MANS+= manpages/wolfCLU_benchmark.1 -man_MANS+= manpages/wolfCLU_decrypt.1 -man_MANS+= manpages/wolfCLU_encrypt.1 -man_MANS+= manpages/wolfCLU_hash.1 +if ENABLE_MANPAGES man_MANS+= manpages/wolfssl.1 +man_MANS+= manpages/wolfssl-bench.1 +man_MANS+= manpages/wolfssl-decrypt.1 +man_MANS+= manpages/wolfssl-encrypt.1 +man_MANS+= manpages/wolfssl-hash.1 +man_MANS+= manpages/wolfssl-enc.1 +man_MANS+= manpages/wolfssl-ca.1 +man_MANS+= manpages/wolfssl-x509.1 +man_MANS+= manpages/wolfssl-req.1 +man_MANS+= manpages/wolfssl-verify.1 +man_MANS+= manpages/wolfssl-crl.1 +man_MANS+= manpages/wolfssl-genkey.1 +man_MANS+= manpages/wolfssl-pkey.1 +man_MANS+= manpages/wolfssl-rsa.1 +man_MANS+= manpages/wolfssl-ecparam.1 +man_MANS+= manpages/wolfssl-dsaparam.1 +man_MANS+= manpages/wolfssl-dhparam.1 +man_MANS+= manpages/wolfssl-pkcs7.1 +man_MANS+= manpages/wolfssl-pkcs8.1 +man_MANS+= manpages/wolfssl-pkcs12.1 +man_MANS+= manpages/wolfssl-dgst.1 +man_MANS+= manpages/wolfssl-sign_verify.1 +# The keytype and hash-shortcut pages below are .so aliases for +# wolfssl-sign_verify.1 and wolfssl-hash.1 respectively. .so pages only +# render once installed under man1/. +man_MANS+= manpages/wolfssl-ecc.1 +man_MANS+= manpages/wolfssl-ed25519.1 +man_MANS+= manpages/wolfssl-dilithium.1 +man_MANS+= manpages/wolfssl-xmss.1 +man_MANS+= manpages/wolfssl-xmssmt.1 +man_MANS+= manpages/wolfssl-rand.1 +man_MANS+= manpages/wolfssl-base64.1 +man_MANS+= manpages/wolfssl-s_client.1 +man_MANS+= manpages/wolfssl-s_server.1 +man_MANS+= manpages/wolfssl-ocsp.1 +man_MANS+= manpages/wolfssl-md5.1 +man_MANS+= manpages/wolfssl-sha256.1 +man_MANS+= manpages/wolfssl-sha384.1 +man_MANS+= manpages/wolfssl-sha512.1 +man_MANS+= manpages/wolfssl-version.1 +endif include src/include.am include wolfclu/include.am @@ -84,9 +121,44 @@ TESTS += $(check_SCRIPTS) # When tests live in the source tree (no VPATH), those files land in tests/, # where EXTRA_DIST+=tests would otherwise sweep them into the tarball and # break `make distcheck` via stale VPATH lookups. +# Generate the compressed manpages into the tarball from their .1 sources, +# so the .gz copies are never hand-maintained in git. These ship in the release +# tarball for downstream packaging; they are intentionally not installed +# (man_MANS installs the .1 files, and distros compress man pages themselves). +# -n keeps the output byte-reproducible across dist runs (no embedded +# filename/mtime). Only done if manpages are enabled. dist-hook: find $(distdir)/tests -name '*.log' -delete find $(distdir)/tests -name '*.trs' -delete +# Always strip stale .1.gz from the tarball (local manpages-gz output or a +# prior dist may have left them in manpages/). Regenerate only when enabled. + chmod u+w $(distdir)/manpages 2>/dev/null || true + rm -f $(distdir)/manpages/*.1.gz +if ENABLE_MANPAGES + for f in $(distdir)/manpages/*.1; do gzip -nc "$$f" > "$$f.gz"; done +endif + +if ENABLE_MANPAGES +# On-demand regeneration of the compressed manpages from their .1 sources. +# Run `make manpages-gz` after editing any .1; thanks to the prerequisite +# only the pages whose source actually changed are rebuilt. These .gz are +# gitignored and NOT installed (man_MANS installs the .1 files) -- the +# release tarball gets its own fresh copies via the dist-hook above, so this +# target is purely a local convenience (preview/packaging). It is not wired +# into `all` on purpose: writing into the source tree during a normal build +# would break `make distcheck`, which builds against a read-only srcdir. +# -n keeps the output byte-reproducible (no embedded filename/mtime). +MAN_GZ = $(man_MANS:.1=.1.gz) + +.PHONY: manpages-gz +manpages-gz: $(MAN_GZ) + +manpages/%.1.gz: $(srcdir)/manpages/%.1 + @$(MKDIR_P) manpages + gzip -nc "$<" > "$@" + +CLEANFILES += $(MAN_GZ) +endif test: check #DISTCLEANFILES+= wolfssl-config diff --git a/README.md b/README.md index b7e42f76..270f3e54 100644 --- a/README.md +++ b/README.md @@ -32,16 +32,54 @@ sudo make install If wolfSSL was recently installed run `sudo ldconfig` to update the linker cache. +#### Build Options + +You can customize the build with configure flags: + +``` +./configure --disable-manpages # Skip manpage installation (useful for embedded builds) +./configure --with-wolfssl=PATH # Specify wolfSSL installation path +``` + Now, you should be able to use wolfCLU: ``` wolfssl -h ``` -If everything worked, you should see the wolfCLU help message. +If everything worked, you should see the wolfCLU help message. The manpages are also automatically installed during `make install`, so you can view them immediately: + +``` +man wolfssl +man wolfssl-genkey +man wolfssl-encrypt +``` For instuctions on how to build windows, see [here](ide/winvs/README.md). +## Contributing to Documentation + +### Manpage Building + +Manpages are automatically generated and installed as part of the normal build process (unless disabled with `--disable-manpages`). When you run `make install`, the `.1` source files in the `manpages/` directory are installed to your configured man1 directory (commonly `/usr/local/share/man/man1` or `/usr/share/man/man1`), making them accessible via the `man` command. + +For developers actively editing manpage files (`.1` files in the `manpages/` directory), you can test changes locally without running the full build: + +```bash +mkdir -p ~/.local/share/man/man1 +cp manpages/*.1 ~/.local/share/man/man1/ +man wolfssl-base64 +``` + +Alternatively, generate compressed versions and view them directly (only available if manpages are enabled): + +```bash +make manpages-gz +man -l manpages/wolfssl-base64.1.gz # GNU man; on macOS/BSD use man manpages/wolfssl-base64.1 +``` + +**Important:** Only commit the `.1` source files to the repository. The `.1.gz` compressed versions are generated on-demand during build and distribution—they are gitignored and should never be tracked in git. + ## Examples ### Key Generation diff --git a/configure.ac b/configure.ac index 71cd0699..b125a366 100644 --- a/configure.ac +++ b/configure.ac @@ -80,6 +80,16 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFCLU_NO_FILESYSTEM" fi +# Manpages Build +ENABLED_MANPAGES_DEFAULT=yes +AC_ARG_ENABLE([manpages], + [AS_HELP_STRING([--disable-manpages],[Disable manpage installation (default: enabled)])], + [ ENABLED_MANPAGES=$enableval ], + [ ENABLED_MANPAGES=$ENABLED_MANPAGES_DEFAULT ] + ) + +AM_CONDITIONAL([ENABLE_MANPAGES], [test "x$ENABLED_MANPAGES" != "xno"]) + #wolfssl AC_MSG_CHECKING([for wolfSSL]) diff --git a/manpages/gzip_all.sh b/manpages/gzip_all.sh deleted file mode 100755 index c09e8162..00000000 --- a/manpages/gzip_all.sh +++ /dev/null @@ -1,5 +0,0 @@ -gzip < wolfCLU_benchmark.1 > wolfCLU_benchmark.1.gz -gzip < wolfCLU_decrypt.1 > wolfCLU_decrypt.1.gz -gzip < wolfCLU_encrypt.1 > wolfCLU_encrypt.1.gz -gzip < wolfCLU_hash.1 > wolfCLU_hash.1.gz -gzip < wolfssl.1 > wolfssl.1.gz diff --git a/manpages/manual.txt b/manpages/manual.txt index f2b7044a..50cfe1bb 100644 --- a/manpages/manual.txt +++ b/manpages/manual.txt @@ -1,133 +1,27 @@ Welcome to the wolfSSL Command Line Utility Manual! -The first thing that will need to be done is a complete download and install of -wolfSSL. An instructional video of this process can be found here: +After installing wolfSSL and wolfCLU, man pages are installed automatically +during "make install" (unless you used --disable-manpages). View them with: -https://www.youtube.com/watch?v=zXRLwW0DIPA + man wolfssl + man wolfssl-encrypt + man wolfssl-genkey -Next view the README.md file. Which says this: +Each command has a wolfssl- man page in the manpages/ directory. +See README.md in the wolfCLU root for build options and local testing tips. -To use this feature, please ./configure --enable-pwdbased --enable-opensslextra - other features that can be included are: - --enable-camellia - --enable-blake2 - --enable-sha512 - --enable-fortress +Quick reference: -then run configure, make, and make install from the command line utility root. + wolfssl encrypt / decrypt / enc symmetric encryption + wolfssl hash / md5 / sha256 hashing + wolfssl bench benchmarking + wolfssl genkey / req / ca / x509 keys and certificates + wolfssl verify / crl / ocsp chain and revocation checks -The Utility has many tools. Encryption, Decryption, Hashing, Benchmarking, with -more to come. +For full option lists, use "wolfssl -h" or the individual man pages. -The man pages provided with the utility also give a brief rundown of how to use -each tool in the kit. - -Manpages are installed automatically during the make process - -You will now be able to run a man page by typing "man wolfsslBenchmark" etc. -manpages are as follows: -wolfCLU_benchmark -wolfCLU_encrypt -wolfCLU_decrypt -wolfCLU_hash -wolfCLU_main - -ENCRYPTION - - SYNOPSIS - wolfssl -encrypt <-algorithm> <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] - DESCRIPTION - This command allows data to be encrypted using ciphers and keys based on passwords if not explicitly provided - .ALGORITHMS - -aes-cbc-[128|192|256] - uses AES algorithm with designated key size. - -aes-ctr-[128|192|256] - uses AES Counter with designated key size. Only available if ./configure settings support - -3des-cbc-[056|112|168] - uses 3DES algorithm with designated key size. - -camellia-cbc-[128|192|256] - uses Camellia algorithm with designated key size. Only available if ./configure settings support - OPTIONS - -in filename/stdin the input filename, standard input. If file does not exist, it will treat data as stdin - -out filename the output filename, if filename does not exist, it will be created - -pwd password password to derive the key from. prompts if password option is not provided. If used, iv isn't needed - -iv IV the actual iv to use. If not provided, one is randomly generated. Must be provided in hex - -key hex the actual key to use, supplied as a hex string on the command line. Length must match the algorithm key size. Requires -iv: when an explicit key is supplied, no salt-based key/iv derivation runs and no Salted__ header is written. - -inkey filename read the key from a file. The file may hold either a hex-encoded key (whitespace within the file is ignored) or a raw binary key whose byte length matches the algorithm key size. The argument must name a real file; use -key to pass a hex key on the command line. - -DECRYPTION - - SYNOPSIS - wolfssl -decrypt <-algorithm> <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] - DESCRIPTION - This command allows data to be decrypted using ciphers and keys based on passwords if not explicitly provided - ALGORITHMS - -aes-cbc-[128|192|256] - uses AES algorithm with designated key size. - -aes-ctr-[128|192|256] - uses AES Counter with designated key size. Only available if ./configure settings support - -3des-cbc-[056|112|168] - uses 3DES algorithm with designated key size. - -camellia-cbc-[128|192|256] - uses Camellia algorithm with designated key size. Only available if ./configure settings support - OPTIONS - -in filename/stdin the input filename, standard input. If file does not exist, it will treat data as stdin - -out filename the output filename, if filename does not exist, it will be created - -pwd password password to derive the key from. prompts if password option is not provided. If used, iv isn't needed - -iv IV the actual iv to use. If not provided, one is randomly generated. Must be provided in hex - -key hex the actual key to use, supplied as a hex string on the command line. Length must match the algorithm key size. Requires -iv: when an explicit key is supplied, no salt-based key/iv derivation runs, so the IV must be provided directly. - -inkey filename read the key from a file. The file may hold either a hex-encoded key (whitespace within the file is ignored) or a raw binary key whose byte length matches the algorithm key size. The argument must name a real file; use -key to pass a hex key on the command line. - -HASH - - SYNOPSIS - wolfssl -hash <-algorithm> <-i filename> [-o filename/stdin] [-s size] [-l length] - DESCRIPTION - This command hashes either stdin or a file based on the chosen algorithm - ALGORITHMS - -md5 - -sha - -sha256 - (NOTE: The following are only available if ./configure supports them) - -sha384 - -sha512 - -blake2b - OPTIONS - -in filename/stdin the input filename, standard input. If file does not exist, it will treat data as stdin - -out filename the output filename, if not provided will print stdout - -size size block size of the function. Usuable only with Blake2b - -length length length of message to hash - -BENCHMARK - - SYNOPSIS - wolfssl benchmark TESTS [-time time] [-all] [-tests] - DESCRIPTION - Tests algorithm functionality and speed - TESTS - -aes-cbc - -aes-ctr* - -3des - -camellia* - -md5 - -sha - -sha256 - -sha384* - -sha512* - -blake2b* - *(NOTE: Only available through ./configure options) - OPTIONS - -time time for each of the tests in seconds - -all runs all available tests - -TESTING - - Various tests can also be performed on the toolkit via nistTest.sh and tests.sh - to perform these tests, simply change the 'PAT' variable in each one to lead - to where you extracted the Utility to. AUTHOR - wolfSSL, Inc. (info@wolfssl.com) - Copyright 2014 wolfSSL Inc. All rights reserved. - -Please report wolfssl any bugs to support@wolfssl.com + wolfSSL, Inc. (facts@wolfssl.com) + Copyright 2026 wolfSSL Inc. All rights reserved. +Please report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_benchmark.1 b/manpages/wolfCLU_benchmark.1 deleted file mode 100644 index 7419efc5..00000000 --- a/manpages/wolfCLU_benchmark.1 +++ /dev/null @@ -1,34 +0,0 @@ -.\" Manpage for wolfCLU_benchmark. -.\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl benchmark man page" -.SH NAME -wolfCLU benchmark \- benchmarking utility for testing -.SH SYNOPSIS -wolfssl -bench TESTS [-time ] [-all] [-tests] -.SH DESCRIPTION -Tests algorithm functionality and speed -.SH TESTS --aes-cbc --aes-ctr* --3des* --camellia* --md5 --sha --sha256 --sha384* --sha512* --blake2b* -*(NOTE: Only available through ./configure options) -.SH OPTIONS --time time for each of the tests in seconds -.br -.LP --all runs all available tests -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_benchmark.1.gz b/manpages/wolfCLU_benchmark.1.gz deleted file mode 100644 index 13076ac4bb7de2a3a7cb0f4159dd4c3749bc6d2b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 506 zcmVF0t4Kx;)>3`=$V+=>#4ah1q0!JA%;!&)s~X zgYrWXIwHXv8X=r-Az41Ikq51Ihbz!a^tIu#fx&XY?I}FMGGpCYNY9^=bf3pL`p}6& z8Wiii$l*D%ykqd&F#6}!?T8S5@dV~IQvN>OoS=l_Wu# z$O=r)SQYXDKZ*!55iRK@uzHN5dBu!dDCw9GoVc*77AP_;3Da!xGpzGpx8o2jrZX3m zf*jeb9Ha3~k{0VbNTqO^Z-fg{3I?{-YG_)(Kd6#5ZwAdk_1>NN77V4~4bIZni@}eu z^;KiUl||K#iG>Op_q)Ntl&lQGrABzSN4`RE8G4Yu8sgf8&kJ(*hfR(W1xKmgC6q(s zpw@A76BKa(Ef2*u&CsPwzC$c2hMWJp?CgJ)?w_)Fvn|j{^(W1n)`mv <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] -.SH DESCRIPTION -This command allows data to be decrypted using ciphers and keys based on passwords if not explicitly provided -.SH ALGORITHMS - --aes-cbc-[ 128 | 192 | 256 ] - uses AES algorithm with designated key size. - --aes-ctr-[ 128 | 192 | 256 ] - uses AES Counter with designated key size. - to use the -ctr option you must enable the following flag - "#define WOLFSSL_AES_COUNTER" - --3des-cbc-[ 056 | 112 | 168 ] - uses 3DES algorithm with designated key size. requires wolfssl be - configured with --enable-des3. - --camellia-cbc-[128|192|256] - uses Camellia algorithm with designated key size. requires wolfssl be - configured with --enable-camellia - -.SH OPTIONS --in filename/stdin the input filename, standard input. If file does not -.br - exist, user will be prompted for file name or input string -.br -.LP --out filename the output filename, if filename does not exist, it will be created -.br -.LP --pwd password password to derive the key from. Prompts user if password -.br - option is not provided. If password option is used iv is not required. -.br -.LP --iv IV the actual iv to use. If not provided, one is randomly generated. -.br - Must be provided in hex -.br -.LP --key hex the actual key to use, supplied as a hex string on the -.br - command line. Length must match the algorithm key size. -.br - Requires -iv: when an explicit key is supplied, no -.br - salt-based key/iv derivation runs, so the IV must be -.br - provided directly. -.br -.LP --inkey filename read the key from a file. The file may contain either a -.br - hex-encoded key (whitespace within the file is ignored) -.br - or a raw binary key whose byte length matches the -.br - algorithm key size. The argument must name a real -.br - file; use -key to pass a hex key on the command line. -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_decrypt.1.gz b/manpages/wolfCLU_decrypt.1.gz deleted file mode 100644 index e0e324d8c0783fb5c871ba30e5b3fc6f4d56ada1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 874 zcmV-w1C{(AiwFRb2NuW7fk!5Hh(tT9XD5T_fZEk&_q zN7R-)Nlu#4AHO>}cGAK|UuLk0qPy?D`|flKZhCORWW{n0nbNRUMK%~;Ldp}pschf{ zXfROHvc!UrnfgK&#uP!KO0WtNr8UPruC>wz5W;RMWzcaxa%gcp27LPfz5XGb@dSFU8t#5H%ty7F_%v$M`)?x+W5BhP>H-PW0i*`1Q z2eWWG52J}UUkZZ)l*l;+RupP&AZ3=3E(_kK#8aq^kolIp0kTFs0}EzwQ^_u@0g-`J zsOCdeh(y?81C>@Qk@D03suLDK$ZGFk9DuRduS}=SMgU>vHX&6= z1bfvB7P@2c^x+S}*aJ$Gnxr7U)Xt?l6Etlc5QU++(F8VDWAPnmFrIo(PH6{BJaOYG zQIYKoTXHQ0VLJke<|OMb!v4AMB6NRX>!w_bRnwhRiwrXeVCwQPO>!8zb@+!I+pZT4 zv-Vs&MZ0i2o0?_=&Y-RNw)SbTBkl&&^B}|$XLZdAa&8Wu3$Y*b0EZ4IWR0~|B~F=~ zORh*1Xu?E00#S| AmH+?% diff --git a/manpages/wolfCLU_encrypt.1 b/manpages/wolfCLU_encrypt.1 deleted file mode 100644 index 61ec23c4..00000000 --- a/manpages/wolfCLU_encrypt.1 +++ /dev/null @@ -1,70 +0,0 @@ -.\" Manpage for wolfssl encrypt. -.\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl encrypt man page" -.SH NAME -encrypt \- cipher routines -.SH SYNOPSIS -wolfssl -encrypt <-algorithm> <-in filename> [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] -.SH DESCRIPTION -This command allows data to be encrypted using ciphers and keys based on passwords if not explicitly provided -.SH ALGORITHMS --aes-cbc-[128|192|256] - uses AES algorithm with designated key size. - --aes-ctr-[128|192|256] - uses AES Counter with designated key size. - to use the -ctr option you must use the following: - "#define WOLFSSL_AES_COUNTER" - --3des-cbc-[056|112|168] - uses 3DES algorithm with designated key size. - --camellia-cbc-[128|192|256] - uses Camellia algorithm with designated key size. Only available if ./configure settings support -.SH OPTIONS --in filename/stdin the input filename, standard input. If file does not -.br - exist, user will be prompted for file name or input string -.br -.LP --out filename the output filename, if filename does not exist, it will be created -.br -.LP --pwd password password to derive the key from. Prompts user if password -.br - option is not provided. If password option is used iv is not required. -.br -.LP --iv IV the actual iv to use. If not provided, one is randomly generated. -.br - Must be provided in hex -.br -.LP --key hex the actual key to use, supplied as a hex string on the -.br - command line. Length must match the algorithm key size. -.br - Requires -iv: when an explicit key is supplied, no -.br - salt-based key/iv derivation runs and no Salted__ -.br - header is written. -.br -.LP --inkey filename read the key from a file. The file may contain either a -.br - hex-encoded key (whitespace within the file is ignored) -.br - or a raw binary key whose byte length matches the -.br - algorithm key size. The argument must name a real -.br - file; use -key to pass a hex key on the command line. -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_encrypt.1.gz b/manpages/wolfCLU_encrypt.1.gz deleted file mode 100644 index 7683ce3c47a971066b2f3f79968d5de1e383a193..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 843 zcmV-R1GM}fiwFQ-<~mpa1C3Q}Z`v>r{+?fPVqZ21QlM+qO;a^S8AJnu2;Ee*Rb>(f ztR{A5J5VNm{LUr`6sa$ff@JRPx#ym9+`Af#2+zoZLM$Y#MG`BO0Og_FWZHFHbm$7M zNvMJGSbQ%$+)$*T1%yIMiZ&{xkP0w`-ef{y;A~*C1;G&TZ2{C;O}L^Vw41HZHK;Y+ zQ~W(D2r1!U(9|3^7{ItQ>N%z9t^py-mQ;cixn`Uy>l56J{Yl^jPMNAv27GIfWFaKe z%k&Ztj6=*4%1KHu;kJP}s`EXbvvq`(m0AlKnKN5~_xs+KxatMnsW+K<{@9rU#rmC zhls{FQ~2W#f1+Lf~Jgo`qA+_|iJc>d5QrgYsjW`>z0Mz5%})XLRtzfEMy zm_6PVR$3xxo75dnoM&58B{n$G@EjQ_oz@IwBRbK~>hc0|P{#1Oj zzFmKEGxhp|nbQ^7MzY0H+pj_Op|HWwL1kDY5<+pFD@y~$PkR%8I`hW;9keMmdsKb1 VEI@3h*ssI#&VPGNO1J0+005LRl%D_q diff --git a/manpages/wolfCLU_hash.1 b/manpages/wolfCLU_hash.1 deleted file mode 100644 index 5d3c193c..00000000 --- a/manpages/wolfCLU_hash.1 +++ /dev/null @@ -1,37 +0,0 @@ -.\" Manpage for wolfssl command line utility hash. -.\" Contact info@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl hash man page" -.SH NAME -hash \- hashing utility -.SH SYNOPSIS -wolfssl -hash <-algorithm> <-in filename> [-out filename/stdin] [-size size] [-length length] -.SH DESCRIPTION -This command hashes either stdin or a file based on the chosen algorithm -.SH ALGORITHMS --md5 --sha --sha256 -(NOTE: The following are only available if ./configure supports them) --sha384 --sha512 --blake2b -.SH OPTIONS --in filename/stdin the input filename, standard input. If file does not exist, -.br - user will be prompted for file name or input input string -.br -.LP --out filename the output filename, if file does not exist, it will be created -.LP --size size **Usuable only with Blake2b. Block size of the function. -.LP --length length length of message to hash (optional) -** denotes only available for specific algorithm -.SH BUGS -No known bugs at this time. -.SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) -.SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. -.SH REPORTING BUGS -Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfCLU_hash.1.gz b/manpages/wolfCLU_hash.1.gz deleted file mode 100644 index 2411a232f4b935fa800d02873efc2a38be0b045b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 662 zcmV;H0%`ppiwFQ2)4~$4(m+v>T~ToyolS=6NRcWdx5*wrsdP`hiD!Nhdw@ss2M@HYV%O)lV` z=Pii4I^D0^=VL}cdfq(mF z!0L_C!dA@BPXjUo&SKea>rHIYU>Pp1NP2D%`&7BCD8L+$x>`OjGC@(mA1yQHm4r# z^81y)Ur(ka$ZGb+r5$C=nO_p7lQi}#rHVNE_A__wrLYY%I`8wjK{@q!$evZS%G9@$B?zGrc)=%*;;652{ w(M=yTpgA7#J1=^!c)pI}G+ZruX)$;0IedM*K&*Y=w#W43FW*>J=CT9;01tsh<^TWy diff --git a/manpages/wolfssl-base64.1 b/manpages/wolfssl-base64.1 new file mode 100644 index 00000000..2e46d8a1 --- /dev/null +++ b/manpages/wolfssl-base64.1 @@ -0,0 +1,31 @@ +.\" Manpage for wolfssl base64. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl base64 man page" +.SH NAME +wolfssl-base64, base64 \- base64 encode or decode data +.SH SYNOPSIS +wolfssl base64 [-in file] [-out file] [-d] +.SH DESCRIPTION +Base64-encodes or decodes data. Defaults to reading from standard input +and writing to standard output when -in/-out are not given. +.SH OPTIONS +-in file input file to encode/decode. +.br +.LP +-out file output file for the encoded/decoded data. +.br +.LP +-d decode the input (default is to encode). +.SH NOTES +Available only when wolfSSL is built with filesystem support and encoding +support (not NO_CODING). +.SH SEE ALSO +.BR wolfssl-enc(1) ", " wolfssl-hash(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-bench.1 b/manpages/wolfssl-bench.1 new file mode 100644 index 00000000..e7617dbf --- /dev/null +++ b/manpages/wolfssl-bench.1 @@ -0,0 +1,64 @@ +.\" Manpage for wolfCLU_benchmark. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl benchmark man page" +.SH NAME +wolfssl-bench, bench \- benchmark cryptographic algorithms +.SH SYNOPSIS +wolfssl bench {aes-cbc|aes-ctr|3des|camellia|md5|sha|sha256|sha384|sha512|blake2b|...} [-time ] +.br +wolfssl bench -all [-time ] +.SH DESCRIPTION +Benchmarks the performance of various cryptographic algorithms, measuring how fast they encrypt, decrypt, or hash data. Useful for understanding the speed and efficiency of different algorithms on your system. +.SH TESTS +aes-cbc +.br +aes-ctr* +.br +3des* +.br +camellia* +.br +md5 +.br +sha +.br +sha256 +.br +sha384* +.br +sha512* +.br +blake2b* +*(NOTE: Only available through ./configure options) +.SH OPTIONS +-time time for each test in seconds (1-10; default 3). Values +.br + outside this range are reset to 3. +.br +.LP +-all runs all available tests +.SH EXAMPLES +Benchmark AES-CBC encryption for 5 seconds: +.RS +wolfssl bench aes-cbc -time 5 +.RE +.LP +Benchmark SHA-256 hashing for 10 seconds: +.RS +wolfssl bench sha256 -time 10 +.RE +.LP +Run all available benchmarks: +.RS +wolfssl bench -all -time 5 +.RE +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-hash(1) ", " wolfssl(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ca.1 b/manpages/wolfssl-ca.1 new file mode 100644 index 00000000..04495b17 --- /dev/null +++ b/manpages/wolfssl-ca.1 @@ -0,0 +1,97 @@ +.\" Manpage for wolfssl ca. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ca man page" +.SH NAME +wolfssl-ca, ca \- sign certificates from a CSR or self-sign +.SH SYNOPSIS +wolfssl ca -in CSR [-config file] [-keyfile file] [-cert file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-md digest] [-days n] [-extensions section] [-selfsign] [-altkey file] [-altpub file] [-subjkey file] [-altextend] +.SH DESCRIPTION +Acts as a minimal certificate authority. Reads a certificate signing +request (CSR) and issues a signed certificate using the CA certificate and +private key, or self-signs using the supplied key. CA key and certificate +may be supplied on the command line or via the [CA_default] section of +the configuration file (see -config). +.SH OPTIONS +-in file CSR file to read the request from (required for normal +.br + signing). +.br +.LP +-out file output file for the signed certificate. +.br +.LP +-keyfile file private key used to sign the certificate. +.br +.LP +-cert file CA certificate to issue from. +.br +.LP +-config file configuration file to read CA settings from. +.br +.LP +-inform PEM|DER input format of the CSR. +.br +.LP +-outform PEM|DER output format of the certificate. The normal signing +.br + path always writes PEM; -outform der is currently +.br + ignored. +.br +.LP +-md digest signing digest to use, e.g. sha256. +.br +.LP +-days n number of days the certificate is valid for. +.br +.LP +-extensions section section of the config file to read extensions from. +.br +.LP +-selfsign sign using the key associated with the certificate +.br + instead of a separate CA certificate. +.br +.LP +-altkey file alternate private key (dual-algorithm certificates; +.br + requires wolfSSL built with WOLFSSL_DUAL_ALG_CERTS and +.br + HAVE_DILITHIUM). +.br +.LP +-altpub file alternate public key (dual-algorithm certificates). +.br +.LP +-subjkey file subject key for dual-algorithm certificates. +.br +.LP +-altextend extend with an alternate key (dual-algorithm certificates). +.SH EXAMPLES +Self-sign a CSR with its own key: +.RS +wolfssl ca -selfsign -in mycsr.pem -keyfile mykey.pem -out mycert.pem -days 365 -md sha256 +.RE +.LP +Sign a CSR as a CA with your CA certificate and key: +.RS +wolfssl ca -in csr.pem -out cert.pem -keyfile ca-key.pem -cert ca-cert.pem -days 365 -md sha256 +.RE +.LP +View the certificate details after signing: +.RS +wolfssl x509 -in cert.pem -text -noout +.RE +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-x509(1) ", " wolfssl-verify(1) +.SH NOTES +This command is only available when wolfSSL is built with filesystem +support (not WOLFCLU_NO_FILESYSTEM). +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-crl.1 b/manpages/wolfssl-crl.1 new file mode 100644 index 00000000..e94e363b --- /dev/null +++ b/manpages/wolfssl-crl.1 @@ -0,0 +1,46 @@ +.\" Manpage for wolfssl crl. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl crl man page" +.SH NAME +wolfssl-crl, crl \- parse and verify Certificate Revocation Lists +.SH SYNOPSIS +wolfssl crl -in file [-out file] [-inform PEM|DER] [-outform PEM|DER] [-CAfile file] [-text] [-noout] +.SH DESCRIPTION +Reads a Certificate Revocation List (CRL), optionally verifies it against a +CA certificate, converts it between PEM and DER, and/or prints it. +.SH OPTIONS +-in file the file to read from (required). +.br +.LP +-out file output file to write to. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-CAfile file CA certificate used to verify the CRL. +.br +.LP +-text output human readable text of the CRL. +.br +.LP +-noout suppress PEM/DER re-encoding of the CRL on output. +.br + Does not suppress -text output when both are given. +.SH NOTES +Available only when wolfSSL is built with CRL support (HAVE_CRL) and +filesystem support. Human-readable printing additionally requires CRL +print support in wolfSSL. +.SH SEE ALSO +.BR wolfssl-verify(1) ", " wolfssl-x509(1) ", " wolfssl-ocsp(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-decrypt.1 b/manpages/wolfssl-decrypt.1 new file mode 100644 index 00000000..7021813d --- /dev/null +++ b/manpages/wolfssl-decrypt.1 @@ -0,0 +1,90 @@ +.\" Manpage for wolfCLU decrypt. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl decrypt man page" +.SH NAME +wolfssl-decrypt, decrypt \- cipher routines +.SH SYNOPSIS +wolfssl decrypt <-algorithm> -in filename [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] [enc options] +.SH DESCRIPTION +Decrypts a file using a cipher and a password or key. The algorithm must +match the one used for encryption. For AES and 3DES (EVP path), +password-based decryption extracts the salt from the file and derives key +and IV from the password and salt. For legacy non-EVP ciphers (e.g. +Camellia), salt and IV are read from the file header. For explicit keys +and IVs, you must provide the same values used during encryption. For +encryption, see +.B wolfssl-encrypt(1). +.SH ALGORITHMS +See +.BR wolfssl-enc(1) +for the supported cipher names and key sizes. +.SH OPTIONS +-in filename the input file to decrypt (required). +.br +.LP +-out filename the output file. For AES and 3DES, defaults to +.br + stdout when omitted. For other ciphers, the user is +.br + prompted when omitted. +.br +.LP +-pwd password password to derive the key from. If -pwd is not +.br + provided, the command exits with an error (unlike +.br + encrypt, decrypt does not prompt for a password). +.br +.LP +-iv IV the IV to use when -key or -inkey is supplied. +.br + Must be provided in hex. Not used for password-based +.br + decryption on the EVP path. +.br +.LP +-key hex the actual key to use, supplied as a hex string on the +.br + command line. Length must match the algorithm key size. +.br + Requires -iv: when an explicit key is supplied, no +.br + salt-based key/iv derivation runs, so the IV must be +.br + provided directly. +.br +.LP +-inkey filename read the key from a file. The file may contain either a +.br + hex-encoded key (whitespace within the file is ignored) +.br + or a raw binary key whose byte length matches the +.br + algorithm key size. The argument must name a real +.br + file; use -key to pass a hex key on the command line. +.br +.LP +Additional options shared with +.BR wolfssl-enc(1) +also work here: -pbkdf2, -md, -base64, -nosalt, -p, -k, -pass. +.SH EXAMPLES +Decrypt a file with a password: +.RS +wolfssl decrypt -aes-cbc-256 -in myfile.enc -out myfile.txt -pwd mypassword +.RE +.LP +Decrypt with an explicit key (must match encryption): +.RS +wolfssl decrypt -aes-cbc-256 -in myfile.enc -out myfile.txt -key 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef0123456789abcdef +.RE +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-enc(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dgst.1 b/manpages/wolfssl-dgst.1 new file mode 100644 index 00000000..e376df72 --- /dev/null +++ b/manpages/wolfssl-dgst.1 @@ -0,0 +1,62 @@ +.\" Manpage for wolfssl dgst. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dgst man page" +.SH NAME +wolfssl-dgst, dgst \- create and verify message digest signatures +.SH SYNOPSIS +wolfssl dgst [-md5|-sha|-sha224|-sha256|-sha384|-sha512] [-sign key | -verify key] [-signature file] [-inform PEM|DER] [-out file] +.SH DESCRIPTION +Signs a file or verifies a signature over a file using a chosen digest +algorithm. A digest flag (e.g. -sha256) is required; there is no default. +The data that was signed is given as the final argument. RSA and ECC keys +are supported. +.SH DIGEST ALGORITHMS +-md5 +.br +-sha +.br +-sha224 +.br +-sha256 +.br +-sha384 +.br +-sha512 +.SH OPTIONS +-sign key private key used to create the signature. +.br +.LP +-verify key key used to verify the signature. +.br +.LP +-signature file file containing the signature to verify. +.br +.LP +-inform PEM|DER input format of the key (default PEM). +.br +.LP +-out file output file for the signature. Required when signing; +.br + optional when verifying. +.SH EXAMPLES +Sign a file: +.br +wolfssl dgst -sha256 -sign key.pem -out test.sig test +.br +.LP +Verify a signature over the file "test": +.br +wolfssl dgst -sha256 -signature test.sig -verify key.pem test +.SH NOTES +Available only when wolfSSL is built with filesystem support. On wolfSSL +later than 5.9.1, MD5 is below the default minimum signature hash. +.SH SEE ALSO +.BR wolfssl-hash(1) ", " wolfssl-sign_verify(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dhparam.1 b/manpages/wolfssl-dhparam.1 new file mode 100644 index 00000000..486bb02b --- /dev/null +++ b/manpages/wolfssl-dhparam.1 @@ -0,0 +1,47 @@ +.\" Manpage for wolfssl dhparam. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dhparam man page" +.SH NAME +wolfssl-dhparam, dhparam \- Diffie-Hellman parameter and key generation +.SH SYNOPSIS +wolfssl dhparam [-in file] [-out file] [-genkey] [-check] [-noout] numbits +.br +wolfssl dhparam -in file [-out file] [-genkey] [-check] [-noout] +.SH DESCRIPTION +Generates Diffie-Hellman parameters and keys, or reads and displays +existing DH parameters. Parameter generation requires a trailing numbits +positional argument (for example 1024, 2048, or 4096). Omitting numbits +when generating parameters fails. +.SH OPTIONS +-in file input file for PEM DH parameters to read (PEM only; +.br + there is no -inform option). +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-genkey generate a DH key from parameters supplied via -in or +.br + generated in the same command. Does not generate +.br + parameters by itself. +.br +.LP +-check check that the parameters are valid. +.br +.LP +-noout do not print out the parameters. +.SH NOTES +Available only when wolfSSL is built with DH support (not NO_DH). +4096-bit parameters require wolfSSL built with HAVE_FFDHE_4096. +.SH SEE ALSO +.BR wolfssl-dsaparam(1) ", " wolfssl-ecparam(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-dilithium.1 b/manpages/wolfssl-dilithium.1 new file mode 100644 index 00000000..5d27c25b --- /dev/null +++ b/manpages/wolfssl-dilithium.1 @@ -0,0 +1,5 @@ +.\" Alias page: dilithium sign/verify is documented in wolfssl-sign_verify(1). +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dilithium man page" +.SH NAME +wolfssl-dilithium, dilithium \- Dilithium raw signing and verification +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-dsaparam.1 b/manpages/wolfssl-dsaparam.1 new file mode 100644 index 00000000..2b76d0d6 --- /dev/null +++ b/manpages/wolfssl-dsaparam.1 @@ -0,0 +1,39 @@ +.\" Manpage for wolfssl dsaparam. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl dsaparam man page" +.SH NAME +wolfssl-dsaparam, dsaparam \- DSA parameter and key generation +.SH SYNOPSIS +wolfssl dsaparam [-in file] [-out file] [-genkey] [-noout] [numbits] +.SH DESCRIPTION +Generates DSA parameters and keys, or reads and displays existing DSA +parameters. Parameter generation requires a trailing numbits positional +argument (for example 1024 or 2048). Omitting numbits when generating +parameters fails. +.SH OPTIONS +-in file input file for PEM DSA parameters to read (PEM only; +.br + there is no -inform option). +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-genkey generate a DSA key from parameters supplied via -in or +.br + generated in the same command. +.br +.LP +-noout do not print out the parameters. +.SH NOTES +Available only when wolfSSL is built with DSA support (not NO_DSA). +.SH SEE ALSO +.BR wolfssl-dhparam(1) ", " wolfssl-ecparam(1) ", " wolfssl-genkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ecc.1 b/manpages/wolfssl-ecc.1 new file mode 100644 index 00000000..61ebe747 --- /dev/null +++ b/manpages/wolfssl-ecc.1 @@ -0,0 +1,5 @@ +.\" Alias page: ecc sign/verify is documented in wolfssl-sign_verify(1). +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ecc man page" +.SH NAME +wolfssl-ecc, ecc \- ECC raw signing and verification +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-ecparam.1 b/manpages/wolfssl-ecparam.1 new file mode 100644 index 00000000..4550e325 --- /dev/null +++ b/manpages/wolfssl-ecparam.1 @@ -0,0 +1,50 @@ +.\" Manpage for wolfssl ecparam. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ecparam man page" +.SH NAME +wolfssl-ecparam, ecparam \- EC parameter and key generation +.SH SYNOPSIS +wolfssl ecparam [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-genkey] [-name curve] [-text] +.SH DESCRIPTION +Generates elliptic curve keys and parameters, or reads an EC private key +and writes its curve parameters. With -in alone the output is an EC +PARAMETERS OID block (and optional -text curve name), not the private key. +Private key output requires -genkey. +.SH OPTIONS +-in file input file to read an EC private key from (optional). +.br + Does not read standalone EC PARAMETERS files. When +.br + combined with -genkey, -in is read but then replaced +.br + by a newly generated key. +.br +.LP +-out file output file. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-genkey generate a new EC private key and write it to -out. +.br +.LP +-name curve curve name, e.g. secp256r1 or secp384r1. The list of +.br + supported curve names is shown by "wolfssl ecparam -help". +.br +.LP +-text output a text representation of the curve name. +.SH SEE ALSO +.BR wolfssl-dhparam(1) ", " wolfssl-dsaparam(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-ed25519.1 b/manpages/wolfssl-ed25519.1 new file mode 100644 index 00000000..68e86c09 --- /dev/null +++ b/manpages/wolfssl-ed25519.1 @@ -0,0 +1,5 @@ +.\" Alias page: ed25519 sign/verify is documented in wolfssl-sign_verify(1). +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ed25519 man page" +.SH NAME +wolfssl-ed25519, ed25519 \- Ed25519 raw signing and verification +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-enc.1 b/manpages/wolfssl-enc.1 new file mode 100644 index 00000000..ed8de996 --- /dev/null +++ b/manpages/wolfssl-enc.1 @@ -0,0 +1,92 @@ +.\" Manpage for wolfssl enc. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl enc man page" +.SH NAME +wolfssl-enc, enc \- generic symmetric encryption and decryption +.SH SYNOPSIS +wolfssl enc <-algorithm> [-d] [-in file] [-out file] [-pwd password] [-pass source] [-k password] [-key hex] [-iv hex] [-inkey file] [-md digest] [-pbkdf2] [-base64] [-nosalt] [-p] +.SH DESCRIPTION +Encrypts or decrypts a file using a symmetric cipher. By default enc +encrypts; the -d flag selects decryption. This is the OpenSSL-style generic +cipher mode; the encrypt and decrypt commands are direction-fixed +equivalents. +.SH ALGORITHMS +-aes-cbc-[128|192|256] +.br + uses AES in CBC mode with the designated key size. +.br +-aes-ctr-[128|192|256] +.br + uses AES in CTR mode (requires WOLFSSL_AES_COUNTER). +.br +-3des-cbc-[56|112|168] +.br + uses 3DES (requires --enable-des3). +.br +-camellia-cbc-[128|192|256] +.br + uses Camellia (requires --enable-camellia). +.SH OPTIONS +-d decrypt the input (default is to encrypt). +.br +.LP +-in file input file to read from. +.br +.LP +-out file file to write to (default stdout). +.br +.LP +-pwd password password to derive the key from. +.br +.LP +-k password alternate option for password input. +.br +.LP +-pass source password source, e.g. pass:. +.br +.LP +-key hex explicit key as a hex string. Requires -iv; no +.br + salt-based derivation is performed. +.br +.LP +-iv hex initialization vector as a hex string. +.br +.LP +-inkey file read the key from a file. +.br +.LP +-md digest digest to use for key derivation, e.g. md5, sha256. +.br +.LP +-pbkdf2 use PBKDF2 for key derivation. +.br +.LP +-base64 base64-encode output (encrypt) or decode input (decrypt). +.br +.LP +-nosalt do not use a salt in key derivation. +.br +.LP +-p print debug information (key, IV, salt). +.SH EXAMPLES +Encrypt a file: +.br +wolfssl enc -aes-cbc-128 -pwd Thi$i$myPa$$w0rd -in plain.txt -out cipher.txt +.br +.LP +Decrypt it again: +.br +wolfssl enc -d -aes-cbc-128 -pwd Thi$i$myPa$$w0rd -in cipher.txt -out plain.txt +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-decrypt(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-encrypt.1 b/manpages/wolfssl-encrypt.1 new file mode 100644 index 00000000..4d145b0f --- /dev/null +++ b/manpages/wolfssl-encrypt.1 @@ -0,0 +1,88 @@ +.\" Manpage for wolfssl encrypt. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl encrypt man page" +.SH NAME +wolfssl-encrypt, encrypt \- cipher routines +.SH SYNOPSIS +wolfssl encrypt <-algorithm> [-in filename] [-out filename] [-pwd password] [-iv IV] [-key hex] [-inkey filename] [enc options] +.SH DESCRIPTION +Encrypts a file using a cipher and a password or key. For AES and 3DES +(EVP path), password-based encryption derives both key and IV from the +password and salt. For legacy non-EVP ciphers (e.g. Camellia), password +mode derives the key from the password but generates a random IV stored in +the file header. For decryption, see +.B wolfssl-decrypt(1). +.SH ALGORITHMS +See +.BR wolfssl-enc(1) +for the supported cipher names and key sizes. +.SH OPTIONS +-in filename the input file to encrypt. When omitted, the user is +.br + prompted interactively for a file name or string. +.br +.LP +-out filename the output file. For AES and 3DES, defaults to +.br + stdout when omitted. For other ciphers, the user is +.br + prompted when omitted. +.br +.LP +-pwd password password to derive the key from. Prompts user if password +.br + option is not provided. If password option is used iv is not required. +.br +.LP +-iv IV the actual iv to use with -key or -inkey. If not +.br + provided with an explicit key, the command errors out. +.br + Must be provided in hex. +.br +.LP +-key hex the actual key to use, supplied as a hex string on the +.br + command line. Length must match the algorithm key size. +.br + Requires -iv: when an explicit key is supplied, no +.br + salt-based key/iv derivation runs and no Salted__ +.br + header is written. +.br +.LP +-inkey filename read the key from a file. The file may contain either a +.br + hex-encoded key (whitespace within the file is ignored) +.br + or a raw binary key whose byte length matches the +.br + algorithm key size. The argument must name a real +.br + file; use -key to pass a hex key on the command line. +.br +.LP +Additional options shared with +.BR wolfssl-enc(1) +also work here: -pbkdf2, -md, -base64, -nosalt, -p, -k, -pass. +.SH EXAMPLES +Encrypt a file with a password: +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -pwd mypassword +.RE +.LP +Encrypt with an explicit key (advanced): +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -key 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef0123456789abcdef +.RE +.SH SEE ALSO +.BR wolfssl-decrypt(1) ", " wolfssl-enc(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-genkey.1 b/manpages/wolfssl-genkey.1 new file mode 100644 index 00000000..bc1d9975 --- /dev/null +++ b/manpages/wolfssl-genkey.1 @@ -0,0 +1,103 @@ +.\" Manpage for wolfssl genkey. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl genkey man page" +.SH NAME +wolfssl-genkey, genkey \- generate cryptographic keys +.SH SYNOPSIS +wolfssl genkey -out filename [-size bits] [-outform PEM|DER|RAW] [-output PUB|PRIV|KEYPAIR] [-exponent n] [-name curve] [-level N] [-height N] [-layer N] +.SH DESCRIPTION +Generates a key of the requested type and writes the public key, private +key, or both. The set of available key types depends on the wolfSSL +configure options. +.SH KEY TYPES +rsa +.br +ecc +.br +ed25519 +.br +dilithium \- only if wolfSSL was built with Dilithium support +.br +ml-dsa \- only if wolfSSL was built with Dilithium support (produces +.br + keys with ML-DSA OIDs, not interchangeable with dilithium keys) +.br +xmss / xmssmt \- only if wolfSSL was built with XMSS support +.SH OPTIONS +-out filename base output filename (required). The suffixes .priv +.br + and .pub are added for the private and public key +.br + files. +.br +.LP +-size bits key size in bits (for key types that take a size, +.br + e.g. rsa). +.br +.LP +-outform PEM|DER|RAW output format (default DER). xmss and xmssmt only +.br + meaningfully support raw; PEM/DER log a warning. +.br +.LP +-exponent n RSA public exponent (default 65537). +.br +.LP +-name curve ECC curve name, e.g. secp256r1 (default curve used +.br + when omitted). +.br +.LP +-output PUB|PRIV|KEYPAIR +.br + which keys to output. KEYPAIR writes both, PUB writes +.br + only the public key, PRIV only the private key. +.br +.LP +-level [2|3|5] security level for dilithium / ml-dsa keys. +.br +.LP +-height N tree height. For xmss: 10 or 16. For xmssmt: 20, 40, +.br + or 60 (invalid values fall back to 20). +.br +.LP +-layer [2|3|4|6|8|12] number of layers for xmssmt keys. +.SH EXAMPLES +Generate a 2048-bit RSA key pair in DER format (default): +.br +wolfssl genkey rsa -size 2048 -out mykey +.br +.LP +Generate a 2048-bit RSA key pair in PEM format: +.br +wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEYPAIR +.br +.LP +The command above outputs the files mykey.priv and mykey.pub. +.br +.LP +Generate a Dilithium key pair: +.br +wolfssl genkey dilithium -level 3 -out mykey -outform der -output KEYPAIR +.br +.LP +Generate an XMSS key pair: +.br +wolfssl genkey xmss -height 10 -out mykey -outform raw -output KEYPAIR +.SH NOTES +For XMSS/XMSS^MT the key file name encodes the parameters (for example +"XMSS-SHA2_10_256"); these parameters are determined from the file name +when signing. +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-sign_verify(1) ", " wolfssl-encrypt(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-hash.1 b/manpages/wolfssl-hash.1 new file mode 100644 index 00000000..851ef20b --- /dev/null +++ b/manpages/wolfssl-hash.1 @@ -0,0 +1,72 @@ +.\" Manpage for wolfssl command line utility hash. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl hash man page" +.SH NAME +wolfssl-hash, hash \- hashing utility +.SH SYNOPSIS +wolfssl hash -in filename [-out filename] [-size size] +.br +wolfssl md5|sha256|sha384|sha512 filename +.SH DESCRIPTION +This command hashes the contents of an input file based on the chosen +algorithm. For "wolfssl hash", an input file is required via -in. The +shortcut commands (md5/sha256/sha384/sha512) take the filename as a +positional argument (e.g. "wolfssl sha256 filename"). If no filename is +given, input is read from standard input. The digest is written to standard +output; shortcut commands do not accept -out or other options. +.SH ALGORITHMS +md5 +.br +sha (SHA-1; only via "wolfssl hash sha -in file", no bare shortcut command) +.br +sha256 +.br +(NOTE: The following are only available if ./configure supports them) +.br +sha384 +.br +sha512 +.br +blake2b +.br +base64enc / base64dec (encode/decode, when coding support is enabled; +.br + base64enc additionally requires WOLFSSL_BASE64_ENCODE) +.SH SHORTCUT COMMANDS +The following may be used directly as the first argument to wolfssl as a +convenience. These shortcut commands use a different syntax than the +generic "wolfssl hash" command: they take the filename as a positional +argument rather than with the -in flag, and do not support -out: +.br +md5 filename \- create an MD5 hash +.br +sha256 filename \- create a SHA-256 hash +.br +sha384 filename \- create a SHA-384 hash +.br +sha512 filename \- create a SHA-512 hash +.SH OPTIONS +-in filename the input file to hash (required for "wolfssl hash"). +.br + The file must exist; if it cannot be opened the +.br + command exits with an error. +.br +.LP +-out filename the output filename for "wolfssl hash" only. If the +.br + file does not exist, it will be created. +.LP +-size size Usable only with Blake2b. Block size of the function. +.br + (only available for specific algorithms) +.SH SEE ALSO +.BR wolfssl-md5(1) ", " wolfssl-sha256(1) ", " wolfssl-sha384(1) ", " wolfssl-sha512(1) ", " wolfssl-dgst(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-md5.1 b/manpages/wolfssl-md5.1 new file mode 100644 index 00000000..15e6786f --- /dev/null +++ b/manpages/wolfssl-md5.1 @@ -0,0 +1,5 @@ +.\" Alias page: md5 hashing is documented in wolfssl-hash.1. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl md5 man page" +.SH NAME +wolfssl-md5, md5 \- compute MD5 message digest +.so man1/wolfssl-hash.1 diff --git a/manpages/wolfssl-ocsp.1 b/manpages/wolfssl-ocsp.1 new file mode 100644 index 00000000..40d0035b --- /dev/null +++ b/manpages/wolfssl-ocsp.1 @@ -0,0 +1,84 @@ +.\" Manpage for wolfssl ocsp. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl ocsp man page" +.SH NAME +wolfssl-ocsp, ocsp \- OCSP client and responder utility +.SH SYNOPSIS +wolfssl ocsp [client options] [responder options] +.SH DESCRIPTION +Acts as an OCSP client to check certificate revocation status, or as an +OCSP responder (when \-port is given) to serve status responses. +.SH GENERAL OPTIONS +-CAfile file trusted certificates file. +.br +.LP +-help print the ocsp help summary and exit. +.SH CLIENT OPTIONS +Client mode is entered by any of \-cert, \-url, or \-issuer, and requires +both \-cert and \-issuer to complete a check. +.LP +-cert file certificate to check (required for client mode). +.br +.LP +-issuer file issuer certificate (required for client mode). +.br +.LP +-url URL responder URL (overrides the AIA in the certificate). +.br +.LP +-no_nonce do not add an OCSP nonce to the request. +.SH RESPONDER OPTIONS +-port n port to run the responder on. +.br +.LP +-index file certificate status index file. +.br +.LP +-rsigner file responder certificate used to sign responses. +.br +.LP +-rkey file responder key used to sign responses. +.br +.LP +-CA file CA certificate. +.br +.LP +-scgi use the SCGI protocol (for a web server reverse proxy). +.br +.LP +-nrequest n stop the responder after processing n requests (0 = +.br + unlimited). +.SH EXAMPLES +Check a certificate's status against the responder named in its AIA: +.RS +wolfssl ocsp -cert server-cert.pem -issuer ca-cert.pem +.RE +.LP +Check a certificate against an explicit responder URL: +.RS +wolfssl ocsp -cert server-cert.pem -issuer ca-cert.pem -url http://ocsp.example.com +.RE +.LP +Run an OCSP responder on port 22221: +.RS +wolfssl ocsp -port 22221 -index index.txt -rsigner ocsp-cert.pem -rkey ocsp-key.pem -CA ca-cert.pem +.RE +.SH SEE ALSO +.BR wolfssl-verify(1) ", " wolfssl-crl(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with OCSP support (HAVE_OCSP and +HAVE_OCSP_RESPONDER). Exactly one mode must be selected: responder mode via +\-port, or client mode via \-cert/\-url/\-issuer (see CLIENT OPTIONS). +Selecting both, or neither, is an error. For OpenSSL compatibility the tool +accepts many additional ocsp flags (e.g. \-CApath, \-ignore_err, \-host, +\-path, \-serial, \-nonce, \-out, \-text), but these are not yet implemented +and currently return an error. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs12.1 b/manpages/wolfssl-pkcs12.1 new file mode 100644 index 00000000..d367c687 --- /dev/null +++ b/manpages/wolfssl-pkcs12.1 @@ -0,0 +1,49 @@ +.\" Manpage for wolfssl pkcs12. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs12 man page" +.SH NAME +wolfssl-pkcs12, pkcs12 \- parse PKCS#12 bundles +.SH SYNOPSIS +wolfssl pkcs12 -in file [-out file] [-passin source] [-nodes] [-nocerts] [-nokeys] +.SH DESCRIPTION +Parses a PKCS#12 bundle and extracts the certificates and private key it +contains. +.SH OPTIONS +-in file file input for the PKCS#12 bundle (required). +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-passin source password source for encrypted input bundles, e.g. +.br + pass: or stdin. Required when the bundle is +.br + encrypted. +.br +.LP +-nodes do not encrypt the private key on output. Without +.br + -nodes, the user is prompted on stdin for an output +.br + encryption password. +.br +.LP +-nocerts do not output certificates. +.br +.LP +-nokeys do not output keys. +.SH NOTES +Available only when wolfSSL is built with PKCS#12 support (HAVE_PKCS12) and +filesystem support. -passout is accepted for OpenSSL compatibility but is +currently a no-op. +.SH SEE ALSO +.BR wolfssl-pkcs8(1) ", " wolfssl-pkcs7(1) ", " wolfssl-pkey(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs7.1 b/manpages/wolfssl-pkcs7.1 new file mode 100644 index 00000000..8a00d3ea --- /dev/null +++ b/manpages/wolfssl-pkcs7.1 @@ -0,0 +1,40 @@ +.\" Manpage for wolfssl pkcs7. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs7 man page" +.SH NAME +wolfssl-pkcs7, pkcs7 \- parse PKCS#7 files +.SH SYNOPSIS +wolfssl pkcs7 [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-print_certs] +.SH DESCRIPTION +Parses a PKCS#7 structure. Without -print_certs, the default output is +the parsed PKCS#7 blob re-encoded in the chosen output format. With +-print_certs, the contained certificates are extracted and written out. +.SH OPTIONS +-in file file input for the PKCS#7 structure (optional; reads +.br + stdin when omitted). +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-print_certs output the certificates contained in the structure. +.SH SEE ALSO +.BR wolfssl-pkcs12(1) ", " wolfssl-pkcs8(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with PKCS#7 support (HAVE_PKCS7) and +filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkcs8.1 b/manpages/wolfssl-pkcs8.1 new file mode 100644 index 00000000..c287b73b --- /dev/null +++ b/manpages/wolfssl-pkcs8.1 @@ -0,0 +1,51 @@ +.\" Manpage for wolfssl pkcs8. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkcs8 man page" +.SH NAME +wolfssl-pkcs8, pkcs8 \- convert between PKCS#8 and traditional private key formats +.SH SYNOPSIS +wolfssl pkcs8 [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-passin source] [-traditional] [-topk8] [-nocrypt] +.SH DESCRIPTION +Converts private keys between PKCS#8 and traditional (PKCS#1) formats. +If neither -traditional nor -topk8 is given, output defaults to PKCS#8 PEM. +.SH OPTIONS +-in file file input for the key (optional; reads stdin when +.br + omitted). +.br +.LP +-out file file to write results to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-passin source password source for encrypted input keys, e.g. +.br + pass: or stdin. +.br +.LP +-traditional output the key in traditional (PKCS#1) format. +.br +.LP +-topk8 output the key in PKCS#8 format. +.br +.LP +-nocrypt output an unencrypted private key. +.SH SEE ALSO +.BR wolfssl-pkcs7(1) ", " wolfssl-pkcs12(1) ", " wolfssl-pkey(1) ", " wolfssl-genkey(1) +.SH NOTES +Available only when wolfSSL is built with PKCS#8 support (not NO_PKCS8) and +filesystem support. Encrypting PKCS#8 keys on output is not yet supported; +use -nocrypt when writing PKCS#8. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-pkey.1 b/manpages/wolfssl-pkey.1 new file mode 100644 index 00000000..85a17479 --- /dev/null +++ b/manpages/wolfssl-pkey.1 @@ -0,0 +1,45 @@ +.\" Manpage for wolfssl pkey. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl pkey man page" +.SH NAME +wolfssl-pkey, pkey \- public and private key processing +.SH SYNOPSIS +wolfssl pkey [-in file] [-out file] [-inform PEM|DER] [-outform PEM|DER] [-pubin] [-pubout] +.SH DESCRIPTION +Reads a public or private key, converts it between PEM and DER, and +optionally outputs only the public portion. RSA, ECC, and Ed25519 keys are +supported; DSA keys are rejected. +.SH OPTIONS +-in file input file for the key to read (optional; without -in +.br + the command exits successfully with no output). +.br +.LP +-out file file to output to (default stdout). +.br +.LP +-inform PEM|DER input format. +.br +.LP +-outform PEM|DER output format. +.br +.LP +-pubin expect a public key as input. Also forces public-key +.br + output (equivalent to setting -pubout). +.br +.LP +-pubout output the public key. +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-rsa(1) ", " wolfssl-pkcs8(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. Encrypted PEM +private keys are not supported (no -passin option). +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-rand.1 b/manpages/wolfssl-rand.1 new file mode 100644 index 00000000..263e9dfe --- /dev/null +++ b/manpages/wolfssl-rand.1 @@ -0,0 +1,33 @@ +.\" Manpage for wolfssl rand. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl rand man page" +.SH NAME +wolfssl-rand, rand \- generate random data +.SH SYNOPSIS +wolfssl rand [-out file] [-base64] [-hex] +.SH DESCRIPTION +Generates the requested number of pseudorandom bytes and writes them to a +file or to standard output. +.SH OPTIONS +-out file file to output data to (default stdout). +.br +.LP +-base64 output the result in base64 encoding. +.br +.LP +-hex output the result in hex encoding. -base64 and -hex +.br + are mutually exclusive. +.SH NOTES +The number of bytes to generate is given as the final argument. Available +only when wolfSSL is built with an RNG (not WC_NO_RNG). +.SH SEE ALSO +.BR wolfssl-base64(1) ", " wolfssl-enc(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-req.1 b/manpages/wolfssl-req.1 new file mode 100644 index 00000000..ec1c1f9e --- /dev/null +++ b/manpages/wolfssl-req.1 @@ -0,0 +1,113 @@ +.\" Manpage for wolfssl req. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl req man page" +.SH NAME +wolfssl-req, req \- generate certificate requests and self-signed certificates +.SH SYNOPSIS +wolfssl req [-new] [-in file] [-out file] [-key file] [-newkey type:bits] [-keyout file] [-inform PEM|DER] [-outform PEM|DER] [-config file] [-days n] [-x509] [-subj name] [-extensions section] [-nodes] [-passout source] [-sha|-sha224|-sha256|-sha384|-sha512] [-verify] [-text] [-noout] +.SH DESCRIPTION +Creates a PKCS#10 certificate signing request (CSR), or with \-x509 a +self-signed certificate. The signing key may be supplied with \-key or +generated on the fly with \-newkey. Without -subj or -config, subject +fields are collected interactively. Without -keyout, a generated private +key is written to stdout. +.SH OPTIONS +-new OpenSSL compatibility flag (no-op). +.br +.LP +-in file input file to read from. +.br +.LP +-out file file to write to (default stdout). +.br +.LP +-key file private key used to sign the certificate request. +.br +.LP +-newkey type:bits generate the private key to use with the request. +.br + RSA: rsa:2048. Dilithium (with -x509 and certgen): +.br + dilithium:2, dilithium:3, dilithium:5, or ml-dsa:N. +.br + For ECC keys, generate with ecparam first. +.br +.LP +-keyout file file to output the generated key to. +.br +.LP +-inform PEM|DER format for -in. +.br +.LP +-outform PEM|DER format for -out. +.br +.LP +-config file file to parse for certificate configuration. +.br +.LP +-days n number of days the certificate should be valid for. +.br +.LP +-x509 generate a self-signed certificate instead of a CSR. +.br +.LP +-subj name subject name in /key=value/... format, e.g. +.br + /C=US/ST=WA/L=Seattle/O=wolfSSL/CN=wolfSSL. +.br +.LP +-extensions section section of the config file to read extensions from. +.br +.LP +-nodes do not encrypt the private key on output. Without +.br + -nodes, generated keys are encrypted and the user is +.br + prompted for an encryption password. +.br +.LP +-passout source password source for encrypting the output key, e.g. +.br + pass: or stdin. +.br +.LP +-sha, -sha224, -sha256, -sha384, -sha512 +.br + signing digest (default SHA-256 when omitted). +.br +.LP +-verify check the signature on the request. +.br +.LP +-text output human readable text of the request. +.br +.LP +-noout do not print the generated results. +.SH EXAMPLES +Create a certificate signing request (CSR) with a new key: +.RS +wolfssl req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out mycsr.pem -subj "/C=US/ST=WA/L=Seattle/O=MyCompany/CN=example.com" +.RE +.LP +Create a self-signed certificate valid for 365 days: +.RS +wolfssl req -new -x509 -newkey rsa:2048 -nodes -keyout mykey.pem -out mycert.pem -days 365 -subj "/C=US/O=Test/CN=localhost" +.RE +.LP +View a CSR in human-readable format: +.RS +wolfssl req -in mycsr.pem -text -noout +.RE +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-ca(1) ", " wolfssl-x509(1) +.SH NOTES +Available only when wolfSSL is built with certificate request support +(WOLFSSL_CERT_REQ) and filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-rsa.1 b/manpages/wolfssl-rsa.1 new file mode 100644 index 00000000..0f3021de --- /dev/null +++ b/manpages/wolfssl-rsa.1 @@ -0,0 +1,61 @@ +.\" Manpage for wolfssl rsa. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl rsa man page" +.SH NAME +wolfssl-rsa, rsa \- RSA key processing +.SH SYNOPSIS +wolfssl rsa [-in file] [-inform PEM|DER] [-out file] [-outform PEM|DER] [-passin source] [-pubin] [-pubout] [-RSAPublicKey_in] [-noout] [-modulus] +.SH DESCRIPTION +Reads an RSA key, converts it between PEM and DER, and prints selected +key information. This is the RSA key-processing command; for legacy RSA +signing and verification see the sign/verify documentation (wolfssl -rsa +-sign / -verify). +.SH OPTIONS +-in file input file for the key to read. +.br +.LP +-inform PEM|DER input format. +.br +.LP +-out file file to write the result to (default stdout). +.br +.LP +-outform PEM|DER output format. +.br +.LP +-passin source password source for PEM-encrypted input files, e.g. +.br + pass: or stdin. Applies to PEM input only; +.br + DER private-key reads ignore -passin. +.br +.LP +-pubin expect a public key as input. Also forces public-key +.br + output (equivalent to setting -pubout). +.br +.LP +-pubout output a public key. +.br +.LP +-RSAPublicKey_in expect an RSAPublicKey-format public key as input. +.br +.LP +-noout suppress key re-encoding on output. Does not suppress +.br + -modulus output when both are given. +.br +.LP +-modulus print out the RSA modulus (n). +.SH SEE ALSO +.BR wolfssl-genkey(1) ", " wolfssl-pkey(1) ", " wolfssl-sign_verify(1) ", " wolfssl-dgst(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-s_client.1 b/manpages/wolfssl-s_client.1 new file mode 100644 index 00000000..3bfaa562 --- /dev/null +++ b/manpages/wolfssl-s_client.1 @@ -0,0 +1,71 @@ +.\" Manpage for wolfssl s_client. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl s_client man page" +.SH NAME +wolfssl-s_client, s_client \- basic TLS client for testing connections +.SH SYNOPSIS +wolfssl s_client -connect : [-starttls proto] [-CAfile file] [-verify_return_error] [-disable_stdin_check] [-noservername] [-help] +.SH DESCRIPTION +Opens a TLS connection to a server for testing. Server Name Indication is +sent by default. Certificate verification is disabled by default and can be +enabled with -verify_return_error. +.SH OPTIONS +-connect host:port address and port to connect to. IPv6 addresses use +.br + bracket notation, e.g. -connect '[::1]:11111'. +.br +.LP +-starttls proto use STARTTLS for the named protocol, e.g. smtp. +.br +.LP +-CAfile file CA certificate file. Has no effect on whether the +.br + connection succeeds or fails unless +.br + \-verify_return_error is also given (see NOTES). +.br +.LP +-verify_return_error close the connection on a verification error. +.br +.LP +-disable_stdin_check do not wait for or read input on stdin; useful when +.br + scripting the client. +.br +.LP +-noservername do not send Server Name Indication. +.br +.LP +-help, -h print the s_client help summary and exit. +.SH EXAMPLES +Connect to a server without certificate verification (testing only): +.RS +wolfssl s_client -connect example.com:443 +.RE +.LP +Connect and verify the server's certificate: +.RS +wolfssl s_client -connect example.com:443 -CAfile ca-cert.pem -verify_return_error +.RE +.LP +Connect to an SMTP server using STARTTLS: +.RS +wolfssl s_client -connect mail.example.com:25 -starttls smtp +.RE +.SH SEE ALSO +.BR wolfssl-s_server(1) ", " wolfssl-verify(1) ", " wolfssl-ocsp(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.LP +The client negotiates the highest TLS version both peers support. CRL +checking is not performed. The server certificate is only verified when +\-verify_return_error is given; without it the connection proceeds +unverified (with a warning) even if \-CAfile is supplied. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-s_server.1 b/manpages/wolfssl-s_server.1 new file mode 100644 index 00000000..42175214 --- /dev/null +++ b/manpages/wolfssl-s_server.1 @@ -0,0 +1,71 @@ +.\" Manpage for wolfssl s_server. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl s_server man page" +.SH NAME +wolfssl-s_server, s_server \- basic TLS server for testing connections +.SH SYNOPSIS +wolfssl s_server -port -cert -key [-CAfile file] [-noVerify] [-version n] [-naccept n] [-www] [-readyFile file] [-help] +.SH DESCRIPTION +Runs a simple TLS server for testing connections. Supply a certificate and +key (\-cert and \-key, PEM only). By default the server accepts one +connection and then exits; use \-naccept to change this. +.SH OPTIONS +-port n port to listen on. +.br +.LP +-cert file server certificate (PEM only). +.br +.LP +-key file server private key (PEM only). +.br +.LP +-CAfile file CA certificate for verifying client certificates +.br + (PEM only; forwarded as the server -A argument). +.br +.LP +-noVerify disable the client certificate check. +.br +.LP +-version n SSL/TLS version [0-4], SSLv3(0) through TLS1.3(4). +.br +.LP +-naccept n number of connections to accept (default 1). +.br +.LP +-www respond in HTML format. +.br +.LP +-readyFile file write a file once the server is listening, so a script +.br + can wait for it before connecting. +.br +.LP +-help, -h print the s_server help summary and exit. +.SH EXAMPLES +Start a basic TLS server on port 443: +.RS +wolfssl s_server -port 443 -cert server-cert.pem -key server-key.pem +.RE +.LP +Start a TLS server that accepts multiple connections: +.RS +wolfssl s_server -port 8443 -cert server-cert.pem -key server-key.pem -naccept 10 +.RE +.LP +Test with s_client in another terminal: +.RS +wolfssl s_client -connect localhost:8443 +.RE +.SH SEE ALSO +.BR wolfssl-s_client(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) +.SH NOTES +Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-sha256.1 b/manpages/wolfssl-sha256.1 new file mode 100644 index 00000000..8cdb5950 --- /dev/null +++ b/manpages/wolfssl-sha256.1 @@ -0,0 +1,5 @@ +.\" Alias page: sha256 hashing is documented in wolfssl-hash.1. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha256 man page" +.SH NAME +wolfssl-sha256, sha256 \- compute SHA-256 message digest +.so man1/wolfssl-hash.1 diff --git a/manpages/wolfssl-sha384.1 b/manpages/wolfssl-sha384.1 new file mode 100644 index 00000000..1d0b0234 --- /dev/null +++ b/manpages/wolfssl-sha384.1 @@ -0,0 +1,5 @@ +.\" Alias page: sha384 hashing is documented in wolfssl-hash.1. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha384 man page" +.SH NAME +wolfssl-sha384, sha384 \- compute SHA-384 message digest +.so man1/wolfssl-hash.1 diff --git a/manpages/wolfssl-sha512.1 b/manpages/wolfssl-sha512.1 new file mode 100644 index 00000000..c2ae37fc --- /dev/null +++ b/manpages/wolfssl-sha512.1 @@ -0,0 +1,5 @@ +.\" Alias page: sha512 hashing is documented in wolfssl-hash.1. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sha512 man page" +.SH NAME +wolfssl-sha512, sha512 \- compute SHA-512 message digest +.so man1/wolfssl-hash.1 diff --git a/manpages/wolfssl-sign_verify.1 b/manpages/wolfssl-sign_verify.1 new file mode 100644 index 00000000..f3b012a3 --- /dev/null +++ b/manpages/wolfssl-sign_verify.1 @@ -0,0 +1,88 @@ +.\" Manpage for wolfssl sign/verify (rsa, ecc, ed25519, dilithium, xmss, xmssmt). +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl sign/verify man page" +.SH NAME +wolfssl-sign_verify, sign, verify \- raw public-key signing and signature verification +.SH SYNOPSIS +wolfssl - -sign -inkey -in -out [-inform PEM|DER] +.br +wolfssl - -verify -inkey -sigfile -out [-in ] [-pubin] [-inform PEM|DER] +.SH DESCRIPTION +Creates or verifies a raw public-key signature. The keytype is one of the +supported algorithms below. These are the per-algorithm sign/verify modes; +for digest-based signing see dgst, and for RSA key conversion see the rsa +command. +.SH KEY TYPES +-rsa Legacy RSA signing and verification. +.br +-ecc ECC signing and verification. +.br +-ed25519 Ed25519 signing and verification (requires HAVE_ED25519). +.br +-dilithium Dilithium (ML-DSA) signing and verification (requires HAVE_DILITHIUM). +.br +-xmss XMSS signing and verification (requires WOLFSSL_HAVE_XMSS). +.br +-xmssmt XMSS^MT signing and verification (requires WOLFSSL_HAVE_XMSS). +.SH OPTIONS +-sign create a signature. +.br +.LP +-verify verify a signature. +.br +.LP +-inkey file key to use. A private key for signing; for verify this +.br + may be a private or public key (use -pubin for a public +.br + key). +.br +.LP +-in file input file: the data to sign, or for verify the +.br + original data (required for most key types; ignored +.br + for RSA verify). +.br +.LP +-inform PEM|DER input format of the key file (default DER). +.br +.LP +-out file output file for the signature when signing (required +.br + for all key types). Also required for RSA verify; +.br + optional for other verify modes. +.br +.LP +-sigfile file signature file to check when verifying. +.br +.LP +-pubin treat the key supplied with -inkey as a public key. +.SH EXAMPLES +Sign a file with an RSA private key: +.br +wolfssl -rsa -sign -inkey priv.pem -inform pem -in message.txt -out message.sig +.br +.LP +Verify with an RSA public key: +.br +wolfssl -rsa -verify -inkey pub.pem -inform pem -sigfile message.sig -out verify.out -pubin +.br +.LP +Verify with an ECC public key: +.br +wolfssl -ecc -verify -inkey pub.pem -inform pem -sigfile message.sig -in message.txt -pubin +.SH NOTES +Available only when wolfSSL is built with filesystem support. The set of +usable key types depends on the wolfSSL configure options. +.SH SEE ALSO +.BR wolfssl-dgst(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-verify.1 b/manpages/wolfssl-verify.1 new file mode 100644 index 00000000..3f785bd2 --- /dev/null +++ b/manpages/wolfssl-verify.1 @@ -0,0 +1,67 @@ +.\" Manpage for wolfssl verify. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl verify man page" +.SH NAME +wolfssl-verify, verify \- verify an X.509 certificate chain +.SH SYNOPSIS +wolfssl verify -CAfile [-untrusted ] [-crl_check] [-partial_chain] +.SH DESCRIPTION +Verifies an X.509 certificate against a trusted CA certificate, optionally +building the chain with an intermediate certificate and checking +revocation. +.SH OPTIONS +-CAfile file trusted CA certificate to verify against (PEM only). +.br + Must be a self-signed root CA unless \-partial_chain +.br + is given; an intermediate CA causes "CA file is not +.br + root CA". +.br +.LP +-untrusted file intermediate certificate file. Only one intermediate +.br + certificate may be loaded. +.br +.LP +-crl_check enable CRL checking. Requires wolfSSL built with CRL +.br + support (HAVE_CRL). +.br +.LP +-partial_chain allow verification to succeed with a partial chain. +.br + Also permits using a non-root CA in -CAfile. +.SH EXAMPLES +Verify a certificate against a trusted root CA: +.RS +wolfssl verify -CAfile ca-cert.pem server-cert.pem +.RE +.LP +Verify a certificate with an intermediate CA: +.RS +wolfssl verify -CAfile ca-cert.pem -untrusted intermediate-cert.pem server-cert.pem +.RE +.LP +Verify a certificate with CRL checking (concatenate the CRL PEM into the +CA file; there is no separate CRL-loading option): +.RS +wolfssl verify -CAfile ca-and-crl.pem -crl_check server-cert.pem +.RE +.SH SEE ALSO +.BR wolfssl-x509(1) ", " wolfssl-crl(1) +.SH NOTES +The certificate to verify is given as the final argument. -CAfile must be +a PEM file. Unless -partial_chain is given, -CAfile must be a self-signed +root CA; supplying an intermediate CA without -partial_chain fails with +"CA file is not root CA". With -crl_check, revocation data must already be +present in -CAfile (for example by concatenating the CRL PEM after the CA +certificate). Available only when wolfSSL is built with filesystem support. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-version.1 b/manpages/wolfssl-version.1 new file mode 100644 index 00000000..119d91bc --- /dev/null +++ b/manpages/wolfssl-version.1 @@ -0,0 +1,27 @@ +.\" Manpage for wolfssl version. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl version man page" +.SH NAME +wolfssl-version, version \- display wolfCLU and wolfSSL version information +.SH SYNOPSIS +wolfssl version +.br +wolfssl -v +.br +wolfssl -version +.SH DESCRIPTION +Prints the version information for both the wolfCLU command-line utility and +the underlying wolfSSL library it is linked against. +.SH NOTES +The version command takes no arguments. The same output is available via +the top-level modes wolfssl -v and wolfssl -version. FIPS builds append +" FIPS" to the library version string and may print additional notes about +algorithm restrictions. +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-x509.1 b/manpages/wolfssl-x509.1 new file mode 100644 index 00000000..01e9dc84 --- /dev/null +++ b/manpages/wolfssl-x509.1 @@ -0,0 +1,130 @@ +.\" Manpage for wolfssl x509. +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl x509 man page" +.SH NAME +wolfssl-x509, x509 \- X.509 certificate processing and conversion +.SH SYNOPSIS +wolfssl x509 [-inform PEM|DER] [-in file] [-outform PEM|DER] [-out file] [-req] [-signkey file] [-extfile file] [-extensions section] [-sha1|-sha224|-sha256|-sha384|-sha512] [-noout] [-text] [-subject] [-issuer] [-serial] [-dates] [-email] [-fingerprint] [-purpose] [-hash] [-modulus] [-pubkey] +.SH DESCRIPTION +Reads an X.509 certificate and converts it between PEM and DER formats +and/or prints selected fields. By default the (re-encoded) certificate is +written to the output. +.SH OPTIONS +-in file the certificate file to read from (optional; reads +.br + stdin when omitted). +.br +.LP +-out file output file to write to. +.br +.LP +-inform PEM|DER input format of the certificate. +.br +.LP +-outform PEM|DER output format of the certificate. +.br +.LP +-req treat the input file as a CSR and sign it into a +.br + certificate. Requires a matching -signkey; cannot be +.br + used alone to view or convert a CSR. PEM CSR input is +.br + supported; DER CSR input with -inform der is not +.br + (input is parsed as a certificate). +.br +.LP +-signkey file private key used when signing a CSR with -req. +.br +.LP +-extfile file configuration file for extensions. Only takes effect +.br + when both -req and -signkey are also given; otherwise +.br + silently ignored (see NOTES). +.br +.LP +-extensions section section of the config file to use. Only takes effect +.br + when both -req and -signkey are also given; otherwise +.br + silently ignored (see NOTES). +.br +.LP +-sha1, -sha224, -sha256, -sha384, -sha512 +.br + digest to use when signing a CSR with -req (default +.br + SHA-256 when omitted). +.br +.LP +-noout do not output the certificate. +.br +.LP +-text print human readable text of the certificate. +.br +.LP +-subject print out the subject name. +.br +.LP +-issuer print out the issuer name. +.br +.LP +-serial print out the serial number in hex. +.br +.LP +-dates print out the validity dates of the certificate. +.br +.LP +-email print out the subject's email address. +.br +.LP +-fingerprint print the SHA-1 fingerprint of the certificate DER. +.br +.LP +-purpose print out the certificate's purpose. +.br +.LP +-hash print out the hash of the certificate subject name. +.br +.LP +-modulus print out the RSA key modulus. +.br +.LP +-pubkey print out the public key. +.SH NOTES +Unless both -req and -signkey are used, -extfile and -extensions are +silently ignored on output: the (re-encoded) certificate is written from +the original input DER, not from any in-memory changes made while parsing +extensions. +.SH EXAMPLES +View certificate details in human-readable format: +.RS +wolfssl x509 -in mycert.pem -text -noout +.RE +.LP +Check when a certificate expires: +.RS +wolfssl x509 -in mycert.pem -dates -noout +.RE +.LP +Extract the public key from a certificate: +.RS +wolfssl x509 -in mycert.pem -pubkey -noout > pubkey.pem +.RE +.LP +Convert a PEM certificate to DER: +.RS +wolfssl x509 -inform pem -in certs/ca-cert.pem -outform der -out certs/ca-cert.der +.RE +.SH SEE ALSO +.BR wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-verify(1) +.SH BUGS +No known bugs at this time. +.SH AUTHOR +wolfSSL, Inc. (facts@wolfssl.com) +.SH COPYRIGHT +Copyright 2026 wolfSSL Inc. All rights reserved. +.SH REPORTING BUGS +Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl-xmss.1 b/manpages/wolfssl-xmss.1 new file mode 100644 index 00000000..447263cf --- /dev/null +++ b/manpages/wolfssl-xmss.1 @@ -0,0 +1,5 @@ +.\" Alias page: xmss sign/verify is documented in wolfssl-sign_verify(1). +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl xmss man page" +.SH NAME +wolfssl-xmss, xmss \- XMSS raw signing and verification +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl-xmssmt.1 b/manpages/wolfssl-xmssmt.1 new file mode 100644 index 00000000..aa7000fc --- /dev/null +++ b/manpages/wolfssl-xmssmt.1 @@ -0,0 +1,5 @@ +.\" Alias page: xmssmt sign/verify is documented in wolfssl-sign_verify(1). +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl xmssmt man page" +.SH NAME +wolfssl-xmssmt, xmssmt \- XMSS^MT raw signing and verification +.so man1/wolfssl-sign_verify.1 diff --git a/manpages/wolfssl.1 b/manpages/wolfssl.1 index 6671276c..e2254846 100644 --- a/manpages/wolfssl.1 +++ b/manpages/wolfssl.1 @@ -1,35 +1,147 @@ .\" Manpage for wolfssl command line utility main options. -.\" Contact support@wolfssl.com to correct errors or typos. -.TH wolfSSL SSL1 "10 Dec 2014" "0.3" "wolfssl man page" +.\" Contact facts@wolfssl.com to correct errors or typos. +.TH wolfSSL SSL1 "June 2026" "0.2.0" "wolfssl man page" .SH NAME -wolfssl \- wolfSSL Command Line Utility. +wolfssl \- wolfSSL Command Line Utility. .SH SYNOPSIS wolfssl COMMAND [OPTIONS]... [ARGUMENTS]... .SH DESCRIPTION The wolfssl program is a command line tool for using various cryptographic functions of wolfSSL's wolfCrypt cryptography library. -wolfSSL supports industry standards up to the current TLSv1.2 and DTLSv1.2 and offers a simple API for ease of use. Which can be utilized for: - \- Encryption and Decryption with Ciphers +wolfSSL supports industry standards up to the current TLSv1.3 and DTLSv1.3 and offers a simple API for ease of use. It can be utilized for: + \- Encryption and decryption with ciphers \- Hashing functionality \- Benchmark utilities - \- x509 conversion from PEM to DER or DER to PEM - With more features to come. + \- X.509 certificate processing and conversion + \- Certificate requests and signing (CA) + \- Key generation and key format conversion + \- Signing and signature verification + \- TLS client/server testing +.SH QUICK START +Here are three common tasks to get started: +.TP +.B Encrypt a file with a password +.RS +wolfssl encrypt -aes-cbc-256 -in myfile.txt -out myfile.enc -pwd mypassword +.RE +.TP +.B Generate a 2048-bit RSA key pair +.RS +wolfssl genkey rsa -size 2048 -out mykey -outform pem +.br +(writes PEM keys to mykey.priv and mykey.pub; default output format is DER) +.RE +.TP +.B Create a certificate for testing +.RS +wolfssl req -new -x509 -newkey rsa:2048 -nodes -keyout mykey.pem -out cert.pem -days 365 -subj "/C=US/O=Test/CN=localhost" +.RE +.TP +To explore more, see the COMMAND SUMMARY below, or run: +.RS +wolfssl -h +.RE .SH COMMAND SUMMARY -wolfSSL offers many different commands all of which have a vast variety of options and arguments. -This utility is to be used with wolfSSL installed and can use different function based on different ./configure options +wolfSSL offers many different commands, all of which have a variety of options and arguments. +This utility is to be used with wolfSSL installed and the available commands depend on the wolfSSL ./configure options. +Most commands have their own man page (named wolfssl-) with full details. +Some are grouped: bench is documented in wolfssl-bench, the hashing shortcuts +md5/sha256/sha384/sha512 alias wolfssl-hash, and the raw sign/verify key types +alias wolfssl-sign_verify; help has no separate page, and version is documented +in wolfssl-version(1). -LIST - -encrypt \- encrypt a file or basic input using various algorithms and options - -decrypt \- decrypt a file or basic input using various algorithms and options - -hash \- hash a file or basic input using a variety of hashing algorithms - -bench \- tests the processing speed of the ciphersuites - -x509 \- converts an existing PEM formatted certificate to DER format or vise versa +Certificates and CAs + ca sign certificates from a CSR or self-sign + x509 X.509 certificate processing and conversion + req generate certificate requests / self-signed certs + verify verify an X.509 certificate chain + crl parse and verify Certificate Revocation Lists + +Keys + genkey generate cryptographic keys + pkey public/private key processing + rsa RSA key processing + ecparam EC parameter and key generation + dsaparam DSA parameter and key generation + dhparam Diffie-Hellman parameter and key generation + +PKCS and signing + pkcs7 parse PKCS#7 files + pkcs8 PKCS#8 private key conversion + pkcs12 parse PKCS#12 bundles + dgst create/verify message digest signatures + ecc/ed25519/dilithium/xmss/xmssmt raw sign and verify (see sign/verify; -rsa also) + +Symmetric crypto and encoding + encrypt encrypt a file or input + decrypt decrypt a file or input + enc generic encrypt/decrypt (OpenSSL-style) + base64 base64 encode/decode + rand generate random data + +Hashing + hash hash a file or input + md5 create an MD5 hash + sha256 create a SHA-256 hash + sha384 create a SHA-384 hash + sha512 create a SHA-512 hash + +Benchmark and TLS + bench benchmark the algorithms + s_client basic TLS client for testing + s_server basic TLS server for testing + ocsp OCSP client and responder (if supported) + +Misc + version print wolfCLU/wolfSSL version + help print the help menu .SH OPTIONS -Acceptable options can be brought up using either "-help" or through the man pages of the commands +Acceptable options can be brought up using either "-help" / "-h" or through the man pages of the individual commands. +.SH GLOSSARY +Common terms you'll see in wolfssl and cryptography: +.TP +.B PEM / DER +File formats for keys and certificates. PEM is text-based (starts with "-----BEGIN..."), DER is binary. Defaults vary by command (for example genkey defaults to DER); use -inform and -outform when converting. +.TP +.B CSR +Certificate Signing Request. A file you send to a Certificate Authority to request a signed certificate. Create one with +.B wolfssl-req(1). +.TP +.B CA +Certificate Authority. An entity that signs certificates, confirming they are valid. See +.B wolfssl-ca(1) +to sign requests yourself. +.TP +.B CRL / OCSP +Certificate Revocation List / Online Certificate Status Protocol. Ways to check if a certificate has been cancelled. See +.B wolfssl-crl(1) +and +.B wolfssl-ocsp(1). +.TP +.B PKCS#1, PKCS#8, PKCS#12 +Key/certificate container formats. PKCS#8 is commonly used for private keys; PKCS#12 bundles a key and certificate together. See +.B wolfssl-pkcs8(1) +and +.B wolfssl-pkcs12(1). +.TP +.B Digest / Hash +A fingerprint of data (e.g., MD5, SHA-256). Cannot be reversed to get the original data. Commonly used to verify file integrity or as part of signing. See +.B wolfssl-hash(1) +and +.B wolfssl-dgst(1). +.TP +.B Salt +Random data added to a password before hashing, making dictionary attacks harder. Used in encryption with passwords. +.TP +.B Key Derivation +Converting a password into a cryptographic key suitable for encryption. See +.B wolfssl-enc(1). +.SH SEE ALSO +.BR wolfssl-encrypt(1) ", " wolfssl-decrypt(1) ", " wolfssl-genkey(1) ", " wolfssl-req(1) ", " wolfssl-ca(1) ", " wolfssl-x509(1) ", " wolfssl-verify(1) .SH BUGS No known bugs at this time. .SH AUTHOR -wolfSSL, Inc. (info@wolfssl.com) +wolfSSL, Inc. (facts@wolfssl.com) .SH COPYRIGHT -Copyright 2014 wolfSSL Inc. All rights reserved. +Copyright 2026 wolfSSL Inc. All rights reserved. .SH REPORTING BUGS Report wolfssl bugs to support@wolfssl.com diff --git a/manpages/wolfssl.1.gz b/manpages/wolfssl.1.gz deleted file mode 100644 index 6f6c181e8190e406e67def68ece95bb1f79fbb0b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 864 zcmV-m1E2gKiwFR$BDNhNf+r5Hd!y1*dOtyBj%3L|xEAvdSSaZFRn9Ew)uUPjPG;Qz+@(S$diZ$A<4&Iogg zqmXGYw*{&8t##%E))4_=_7>WPm3PE7Z%KXSAiGPCSMfD4#p(G(7X=zlz{9cetOk`8iF=6*y*ph__ z5(q9+SiC`%m$fiYz2_tjaW9`QzmU@ENLY+r81mR=w&ZN5vxLpX51P?SA9T;B*V>S? zQMlHi?L1jySKHu$bW6|VVNkc1g-UvYz2ph2*cX}Psw!VKuS+S8NCF;(b-vU{Z9wWO%mDo~J$3R+e4nh{uh+H*!GhzC2tu{3yHi$9P` zg*;HgfkzbGEz-=3!k-K5D#o&gp@2e?1xQ7LB!^1XwC)cNi|U{a(X6|~0{8&C#{o7B z{|9VIj$usy{1>1&FG1P+>=peLamO}eNQaiXh?|8PI!EhaY=f+6(KS)$-c~w11Mp^~ z_|A`xi37e!>o}fGN&Qg^=LjdKby>(M( z;LhmwP&)4NE@!0F(7@=T#HtzjE4K7|Jo|8Q+993Z#s0XP?QI&ZG(0K&Oz7=_@^G|` zjVVKyjJMf*orLCi4-1vY@K&lqpWpWH`i|N>B#Ya57EN?>GLo6{g+BP&2g8^;$S+!; qrbKhZeRoze+pLppvAXT3CCInjaOZl0B;jBFY@%QECW3Ux1^@suFsvE?