Category: wolfCLU

The wolfSSL team would like to announce support for XMSS (eXtended Merkle Signature Scheme) and XMSS^MT (Multi-Tree XMSS) post-quantum cryptographic signature schemes to wolfCLU. The implementation includes key generation, signing, and verification capabilities.

Note that this feature includes best-effort state management for stateful private keys. We have done our best to implement state management, but without knowing the implementation of the file system, we cannot guarantee secure storage of the state.

This addition provides wolfCLU users with access to quantum-resistant signature schemes, particularly important for long-term security requirements. The implementation follows the stateful signature paradigm required by XMSS/XMSS^MT while maintaining usability through the familiar wolfCLU interface.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

This PR updates wolfCLU to properly handle X509 name parsing following changes in wolfSSL’s OBJ_sn2nid function behavior. The changes focus on how Distinguished Name (DN) components are processed when creating X509 certificates.

These changes ensure wolfCLU properly handles X509 name components when interfacing with wolfSSL’s updated OBJ_sn2nid implementation.

Users working with X509 certificates through wolfCLU will benefit from more reliable DN parsing, particularly when using our OpenSSL compatibility layer. The changes maintain backward compatibility while supporting proper object identifier handling.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

With the release of wolfCLU 0.1.7, you can now verify long certificate chains! Our way of doing it is a bit unique.

You will need to verify the certificates in your chain one by one. For example, suppose you have a certificate chain where there is a root, intermediate, another intermediate and leaf certificate. If they are named first.pem, second.pem, third.pem and fourth.pem you will need to verify like this:

$ ./wolfssl verify -CAfile first.pem second.pem
$ ./wolfssl verify -partial_chain -CAfile second.pem third.pem
$ ./wolfssl verify -partial_chain -CAfile third.pem fourth.pem

This will work for short chains as well as long chains.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

We have added the Dilithium command to wolfCLU. Dilithium (referred to as ML-DSA by NIST) is a post-quantam cryptography (PQC) algorithm for signing and verification. This blog post provides an overview of how to use the Dilithium command in wolfCLU.

To use the Dilithium command, you must first build wolfSSL with the appropriate configuration options: `–enable-wolfclu` and `–enable-dilithium`.

Building wolfSSL:

$ cd wolfssl
$ ./autogen.sh
$ ./configurte –enable-wolfclu –enable-dilithium
$ make && make check
$ sudo make install

Once wolfSSL is built and installed, you can build wolfCLU. No additional macros are required for this step. After installing, you can check wolfssl command version.

Building wolfCLU:

$ cd wolfclu
$ ./autogen.sh
$ ./configure
$ make && make check
$ sudo make install
$ wolfssl -v

Key Generation:

To generate a Dilithium key pair, use the “-genkey” command. Dilithium supports different security levels (2, 3, and 5) as defined by NIST. You can specify the security level using “-level” and the output filename using “-out”.

$ wolfssl -genkey dilithium -level 2 -out dilithium_key -outform der -output keypair

Sign:

To sign a file with the Dilithium private key, use the “-sign” command. Specify the private key with “-inkey”, the file to be signed with “-in”, and the output signature file with “-out”.

$ wolfssl dilithium -sign -inkey dilithium_key.priv -inform der -in test.txt -out signature.sig

Verify:

To verify a signed file, use the “-verify” command. Provide the public key using “-inkey”, the file to verify with “-in”, and the signature file with “-sigfile”. If the signature is valid, the output will display “Valid Signature”. If not, it will display “Invalid Signature”.

$ wolfssl dilithium -verify -inkey dilithium_key.pub -inform der -in test.txt -sigfile signature.sig

With these steps, you can easily generate keys, sign files and verify signatures using the Dilithium command in wolfCLU.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

We have added initial support for the s_server command to wolfCLU! This exciting new feature supports handling basic TLS connections leveraging the best tested cryptography from the wolfSSL library. It is a quick way to set up simple TLS connection tests. So far the arguments available are :

```
./wolfssl s_server
	-help
	-port <+int>
    	Port to listen on.


	-key 
    	only PEM can be used.


	-cert 
    	only PEM can be used.


	-noVerify
    	Disable client cert check.


	-CAfile 
    	only PEM can be used.


	-version 
    	SSL version [0-4], SSLv3(0) - TLS1.3(4))


	-naccept <+int>
    	Number of times to accept.(default 1)


	-www
    	The response is in HTML format.


	-readyFile 
    	Create Ready file for external monitor.
```

For interest in expanding the capabilities or questions in general, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Throughout the last development cycle, we have increased the test coverage for wolfCLU. This includes many different types of tests done with continuous integration. One of the tests expanded was involving -fsanitize=address builds on every code addition by updating the GitHub actions used. Another was expanding the unit test for the new features added including the ML-DSA (Dilithium support). This is all part of a never ending effort to always be improving on the quality of wolfCLU. Feel free to reach out to us at support@wolfSSL.com with any troubles encountered when using wolfCLU.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

The `dgst` command of wolfCLU saw support for some new arguments with the latest release. Support for `-inform` was added, giving the flexibility to choose if the incoming file is in DER or PEM format. Before only PEM formatted inputs were handled and the application would gracefully error out if a DER input had been given. An example of using this new argument would be the following `wolfssl dgst -inform DER -sign private.ec.der -sha512 -out test.wc.sig test.bin`. To see all of the options available for the `dgst` command uses the `-h` flag, i.e. `wolfssl dgst -h`.

For more information or questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Enhancements were made to wolfCLU for using PEM formatted keys with sign and verify operations. Previously, the sign and verify commands only expected DER formatted keys. This addition was made for all supported algorithms: RSA, ECC, and ED25519. It can be used with the flag -inform. An example would be `wolfssl rsa -inkey priv.key -inform PEM -sigfile signature.bin -in sign-this.txt -out result`. This new enhancement helps make it easier to quickly generate a signature of a file. No longer have the restriction on the format of keys used and the hassle of converting between the two.

For more information or questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

The `rsa` command with wolfCLU just got better! Now there is support for `-pubin` and `-pubout` options. This facilitates loading in a RSA public key only and printing out just the public version of the key. Very useful for cases such as signature verification where you may only have the public part of the key, or for printing out the public version of an RSA key to distribute to others. The expanded support follows the same naming as the OpenSSL command line utility, making it easy to interchange the command line utility being used.

For more information or questions about the above, contact us at facts@wolfSSL.com or call +1 425 245 8247.

Download wolfSSL Now

We have added support for creating and verifying signatures with ML-DSA. This new feature was introduced in wolfCLU release 0.1.6 and can be seen in the handy help message by running `wolfssl -h`. There are a couple of options available to be passed to the new `dilithium` command to increase the flexibility for tuning performance versus security strength.

For more information or questions about the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now