Category: wolfCLU

wolfCLU version 0.1.9 is now available! This command-line utility, built on the wolfSSL embedded TLS library, helps with admin tasks and common use cases such as key generation and certificate parsing to human human-readable form.

Among the most notable changes to this release is the addition of support for PKCS8 and Base64 commands, introduced in PR #178. These features make it easier to handle common encoding formats and key conversions directly from the command line, streamlining workflows involving PEM or DER-encoded data.

The update also includes important fixes to macro definitions related to client and server Key Encapsulation Mechanisms (KEM), as noted in PR #177. These corrections ensure proper configuration and usage when working with post-quantum cryptographic modes and hybrid TLS key exchange scenarios.

To support users working in FIPS-approved environments, wolfCLU now better aligns with FIPS 140-3 expectations. In PR #183, tests were adjusted to reflect the removal of DES in FIPS mode, and new output was added to indicate when FIPS is enabled. These changes help clarify operational state and support auditability during validation efforts.

This release also updates the license from GPLv2 to GPLv3 (PR #184).

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

We’re excited to announce recent improvements to wolfCLU, wolfSSL’s command line tool designed to make working with cryptographic data even easier and more flexible.

PKCS8 and Base64 Support

• pkcs8: Easily parse and handle PKCS#8-formatted private keys, ensuring compatibility with modern secure key formatting standards.
• base64: Encode or decode data in Base64 format directly from the command line.

Expanded Certificate Verification with -untrusted

The verif command now supports the -untrusted option, enabling verification of certificate chains that include intermediate CAs not directly trusted by the root. This makes wolfCLU a better fit for real-world PKI use cases where trust anchors and intermediates are handled separately.

Example:

$ ./wolfssl verify -in cert.pem -CAfile root.pem -untrusted intermediate.pem

Would you like to see more feature additions to wolfCLU?

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSL team recently merged a significant improvement to their CMake build system with Pull Request #8548. This enhancement adds a new WOLFSSL_CLU option to CMakeLists.txt, providing CMake users with the same functionality that was previously only available through the –enable-wolfclu option in the autotools build system.

What is wolfCLU?

Before diving into the technical details, let’s understand what wolfCLU is. The wolfSSL Command Line Utility (wolfCLU) is a powerful tool that provides cryptographic operations through a command-line interface. It leverages wolfSSL’s cryptographic library (wolfCrypt) to perform common operations such as:

• Creating certificates and certificate requests
• Generating public/private key pairs
• Creating and verifying digital signatures
• Encrypting and decrypting files
• Parsing X.509 certificates
• Establishing certificate chains with a Certificate Authority

wolfCLU serves as an alternative to OpenSSL’s command-line tools, particularly for environments where OpenSSL is not installed or for users who prefer wolfSSL’s lightweight and security-focused implementation.

The Technical Enhancement

The PR adds a new WOLFSSL_CLU option to wolfSSL’s CMakeLists.txt that, when enabled, automatically configures wolfSSL with all the features required by wolfCLU. This includes:

1. Certificate Operations:
   • Certificate Generation (WOLFSSL_CERTGEN)
   • Certificate Request Generation (WOLFSSL_CERTREQ)
   • Certificate Extensions (WOLFSSL_CERTEXT)
2. Cryptographic Algorithms:
   • MD5 (WOLFSSL_MD5)
   • AES Counter Mode (WOLFSSL_AESCTR)
   • ED25519 for digital signatures (WOLFSSL_ED25519)
   • SHA-512 (WOLFSSL_SHA512)
   • Triple DES (WOLFSSL_DES3)
3. Additional Features:
   • Key Generation (WOLFSSL_KEYGEN)
   • OpenSSL Compatibility (WOLFSSL_OPENSSLALL)
   • PKCS#7 Support (WOLFSSL_PKCS7)
4. Compiler Flags:
   • -DHAVE_OID_ENCODING: Enables OID encoding functionality
   • -DWOLFSSL_NO_ASN_STRICT: Disables strict ASN.1 parsing
   • -DWOLFSSL_ALT_NAMES: Enables alternative name support
   • -DOPENSSL_ALL: Ensures OpenSSL compatibility functions are available

The PR also updates the GitHub Actions workflow to test this new option, ensuring it works correctly in the CI environment.

How to Use It

To build wolfSSL with wolfCLU support using CMake, simply add the -DWOLFSSL_CLU=yes option to your CMake command:

mkdir build
cd build
cmake .. -DWOLFSSL_CLU=yes
make

This will configure wolfSSL with all the necessary features and compiler flags to support wolfCLU.

Conclusion

This PR demonstrates wolfSSL’s commitment to providing consistent build options across different build systems and improving the developer experience. By adding the WOLFSSL_CLU option to CMakeLists.txt, the wolfSSL team has made it easier for developers to build and use wolfCLU with wolfSSL, regardless of their preferred build system.

For more information about wolfCLU and its capabilities, visit the wolfSSL website or check out the wolfCLU GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSL team would like to announce support for XMSS (eXtended Merkle Signature Scheme) and XMSS^MT (Multi-Tree XMSS) post-quantum cryptographic signature schemes to wolfCLU. The implementation includes key generation, signing, and verification capabilities.

Note that this feature includes best-effort state management for stateful private keys. We have done our best to implement state management, but without knowing the implementation of the file system, we cannot guarantee secure storage of the state.

This addition provides wolfCLU users with access to quantum-resistant signature schemes, particularly important for long-term security requirements. The implementation follows the stateful signature paradigm required by XMSS/XMSS^MT while maintaining usability through the familiar wolfCLU interface.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

This PR updates wolfCLU to properly handle X509 name parsing following changes in wolfSSL’s OBJ_sn2nid function behavior. The changes focus on how Distinguished Name (DN) components are processed when creating X509 certificates.

These changes ensure wolfCLU properly handles X509 name components when interfacing with wolfSSL’s updated OBJ_sn2nid implementation.

Users working with X509 certificates through wolfCLU will benefit from more reliable DN parsing, particularly when using our OpenSSL compatibility layer. The changes maintain backward compatibility while supporting proper object identifier handling.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

With the release of wolfCLU 0.1.7, you can now verify long certificate chains! Our way of doing it is a bit unique.

You will need to verify the certificates in your chain one by one. For example, suppose you have a certificate chain where there is a root, intermediate, another intermediate and leaf certificate. If they are named first.pem, second.pem, third.pem and fourth.pem you will need to verify like this:

$ ./wolfssl verify -CAfile first.pem second.pem
$ ./wolfssl verify -partial_chain -CAfile second.pem third.pem
$ ./wolfssl verify -partial_chain -CAfile third.pem fourth.pem

This will work for short chains as well as long chains.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

We have added the Dilithium command to wolfCLU. Dilithium (referred to as ML-DSA by NIST) is a post-quantam cryptography (PQC) algorithm for signing and verification. This blog post provides an overview of how to use the Dilithium command in wolfCLU.

To use the Dilithium command, you must first build wolfSSL with the appropriate configuration options: `–enable-wolfclu` and `–enable-dilithium`.

Building wolfSSL:

$ cd wolfssl
$ ./autogen.sh
$ ./configurte –enable-wolfclu –enable-dilithium
$ make && make check
$ sudo make install

Once wolfSSL is built and installed, you can build wolfCLU. No additional macros are required for this step. After installing, you can check wolfssl command version.

Building wolfCLU:

$ cd wolfclu
$ ./autogen.sh
$ ./configure
$ make && make check
$ sudo make install
$ wolfssl -v

Key Generation:

To generate a Dilithium key pair, use the “-genkey” command. Dilithium supports different security levels (2, 3, and 5) as defined by NIST. You can specify the security level using “-level” and the output filename using “-out”.

$ wolfssl -genkey dilithium -level 2 -out dilithium_key -outform der -output keypair

Sign:

To sign a file with the Dilithium private key, use the “-sign” command. Specify the private key with “-inkey”, the file to be signed with “-in”, and the output signature file with “-out”.

$ wolfssl dilithium -sign -inkey dilithium_key.priv -inform der -in test.txt -out signature.sig

Verify:

To verify a signed file, use the “-verify” command. Provide the public key using “-inkey”, the file to verify with “-in”, and the signature file with “-sigfile”. If the signature is valid, the output will display “Valid Signature”. If not, it will display “Invalid Signature”.

$ wolfssl dilithium -verify -inkey dilithium_key.pub -inform der -in test.txt -sigfile signature.sig

With these steps, you can easily generate keys, sign files and verify signatures using the Dilithium command in wolfCLU.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

We have added initial support for the s_server command to wolfCLU! This exciting new feature supports handling basic TLS connections leveraging the best tested cryptography from the wolfSSL library. It is a quick way to set up simple TLS connection tests. So far the arguments available are :

```
./wolfssl s_server
	-help
	-port <+int>
    	Port to listen on.


	-key 
    	only PEM can be used.


	-cert 
    	only PEM can be used.


	-noVerify
    	Disable client cert check.


	-CAfile 
    	only PEM can be used.


	-version 
    	SSL version [0-4], SSLv3(0) - TLS1.3(4))


	-naccept <+int>
    	Number of times to accept.(default 1)


	-www
    	The response is in HTML format.


	-readyFile 
    	Create Ready file for external monitor.
```

For interest in expanding the capabilities or questions in general, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Throughout the last development cycle, we have increased the test coverage for wolfCLU. This includes many different types of tests done with continuous integration. One of the tests expanded was involving -fsanitize=address builds on every code addition by updating the GitHub actions used. Another was expanding the unit test for the new features added including the ML-DSA (Dilithium support). This is all part of a never ending effort to always be improving on the quality of wolfCLU. Feel free to reach out to us at support@wolfSSL.com with any troubles encountered when using wolfCLU.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

The `dgst` command of wolfCLU saw support for some new arguments with the latest release. Support for `-inform` was added, giving the flexibility to choose if the incoming file is in DER or PEM format. Before only PEM formatted inputs were handled and the application would gracefully error out if a DER input had been given. An example of using this new argument would be the following `wolfssl dgst -inform DER -sign private.ec.der -sha512 -out test.wc.sig test.bin`. To see all of the options available for the `dgst` command uses the `-h` flag, i.e. `wolfssl dgst -h`.

For more information or questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now