source: doc/CreddyDoc @ 94a4dd2

mei_rt2mei_rt2_fix_1
Last change on this file since 94a4dd2 was e205b49, checked in by Mei <mei@…>, 12 years ago

1) update more documentation
  • Property mode set to 100644
File size: 7.2 KB
RevLine 
[e205b49]1creddy(1)                                                            creddy(1)
2
3
4
5NNAAMMEE
6       creddy - ABAC X.509 identity and attribute certificate manager
7
8
9SSYYNNOOPPSSIISS
10       ccrreeddddyy [[ ----<<mmooddee>> ]] ----hheellpp
11
12
13DDEESSCCRRIIPPTTIIOONN
14       creddy  is an awesome and wonderful ABAC credential management tool. It
15       creates,  verifies,  and  otherwise  frobnicates  X.509  identity   and
16       attribute certificates. The output of the tool is suitable for use with
17       ABAC. Additionally, the self-signed X.509 identity certs (with  associ‐
18       ated private keys) can be used with OpenSSL
19
20
21OOPPTTIIOONNSS
22   ----ggeenneerraattee
23       Generate an X.509 identity cert and private key pair unless an external
24       private key is specified. The certificate is saved in ${cn}_id.pem  and
25       the generated private key is saved in ${cn}_private.pem
26
27
28       Note that private key generation is slow and uses a lot of entropy. You
29       can generate entropy by moving your mouse a lot or running  large  find
30       commands on your local file systems
31
32
33       ----ccnn   common  name  used on certificate, provided as a convenience and
34              ignored by ABAC
35
36
37       ----vvaalliiddiittyy
38              optional certificate validity. This argument takes a time period
39              followed  by  an  optional suffix of s m h d y (defaults to d if
40              omitted). The default is 1080 days
41
42
43       ----oouutt  optional output directory. Must exist before invoking  the  com‐
44              mand
45
46
47       ----kkeeyy  optional external private key to be use for this identity
48
49
50       ----pp    optional passphrase flag if the external private key supplied is
51              encrypted. If the passphrase is saved in a  file  'pfile',  then
52              --p=pfile
53
54
55   ----vveerriiffyy
56       verify  the  signature on a self-signed X.509 identity cert or an X.509
57       attribute cert
58
59
60       ----cceerrtt self-signed X.509 identity cert
61
62
63       ----aattttrrcceerrtt
64              optional X.509 attribute cert. If omitted the self-signature  of
65              the ID cert is checked
66
67
68   ----kkeeyyiidd
69       extract  the  subjectKeyIdentifier  (SHA1  hash) from an X.509 identity
70       cert
71
72
73       ----cceerrtt X.509 identity cert
74
75
76   ----aattttrriibbuuttee
77       generate an X.509 attribute cert representing an ABAC credential
78
79       An attribute cert has one or more subjects. A  single  subject  may  be
80       defined  without  a  role or oset. Otherwise, subjects are defined by a
81       pair of a --subject-{cert,id} and --subject-{role,oset} and may include
82       an  optional  --subject-link  or  just --subject-obj or --subject-cert.
83       Providing multiple subjects creates an intersection certificate
84
85
86       ----iissssuueerr
87              X.509 identity cert issuing the credential
88
89
90       ----kkeeyy  private key associated with issuer cert
91
92
93       ----pp    optional passphrase if the private key is encrypted
94
95
96       ----rroollee role in issuer's local attribute space
97
98
99       ----oosseett o-set in issuer's local attribute space
100
101
102       ----ssuubbjjeecctt--cceerrtt
103              X.509 identity cert representing the principal to which the role
104              is  being issued. This fulfills the same purpose as --subject-id
105              and should only be used once per subject
106
107
108       ----ssuubbjjeecctt--iidd
109              public key identifier (SHA1 hash) of the principal to which  the
110              role  is  being issued. This fulfills the same purpose as --sub‐
111              ject-cert and should only be used once per subject
112
113
114       ----ssuubbjjeecctt--rroollee
115              optional role in subject's local attribute space. If the  issuer
116              is  A,  role  is  r1,  subject is B, and subject-role is r2, the
117              attribute issued will be A.r1 <- B.r2
118
119
120       ----ssuubbjjeecctt--oosseett
121              optional oset in subject's local attribute space. If the  issuer
122              is  A,  oset  is  o1,  subject is B, and subject-oset is o2, the
123              attribute issued will be A.o1 <- B.o2
124
125
126       ----ssuubbjjeecctt--lliinnkk
127              optional linking role in subject's local attribute space. If the
128              issuer  is  A,  oset is o1, subject is B, subject-link is r2 and
129              subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2
130
131
132       ----ssuubbjjeecctt--oobbjj
133              optional object in  subject's  local  attribute  space.  If  the
134              issuer  is  A,  oset is o1, and subject-obj is o2, the attribute
135              issued will be A.o1 <- o2
136
137
138       ----vvaalliiddiittyy
139              optional certificate validity. This argument takes a time period
140              followed  by  an  optional suffix of s m h d y (defaults to d if
141              omitted). The default is 365 days
142
143
144       ----oouutt  where to save DER-encoded attribute cert. In order to interoper‐
145              ate with the rest of ABAC, this name should end in _attr.der
146
147
148   ----kkeeyycchheecckk
149       Do a sanity check on a private key file
150
151
152       ----kkeeyy  private key to be used
153
154
155       ----pp    passphrase file to be used
156
157
158   ----rroolleess
159       Extract the roles from an X.509 attribute cert
160
161
162   ----oosseettss
163       Extract the osets from an X.509 attribute cert
164
165
166       ----cceerrtt X.509 attribute cert containing ABAC roles
167
168
169   ----ddiissppllaayy
170       Displays metadata from an X.509 identity or attribute cert
171
172
173       ----sshhooww==[[iissssuueerr,,....,,aallll]]
174              comma-separated list of:
175
176                  issuer      DN of issuer
177                  subject     DN of subject
178                  validity    validity period
179                  roles        attribute  cert  roles  (fails  silently  on ID
180              certs)
181                  osets       attribute  cert  osets  (fails  silently  on  ID
182              certs)
183                  all         all of the above
184
185
186       ----cceerrtt X.509 identity or attribute cert
187
188
189   ----vveerrssiioonn
190       display ABAC/creddy version
191
192
193EEXXAAMMPPLLEESS
194       Generate ID cert and private key pairs:
195
196              ccrreeddddyy ----ggeenneerraattee ----ccnn AAlliiccee
197              ccrreeddddyy ----ggeenneerraattee ----ccnn BBoobb
198
199
200       Issue the credential Alice.friend <- Bob
201
202              creddy --attribute \
203                     --issuer Alice_ID.pem --key Alice_private.pem \
204                     --role friend --subject-cert Bob_ID.pem \
205                     --out Alice_friend__Bob_attr.der
206
207
208AAUUTTHHOORR
209       Written by Mike Ryan Updated by Mei-Hui Su <mei@ISI.EDU>.
210
211
212BBUUGGSS
213       None yet. Report to http://abac.deterlab.net/
214
215
216CCOOPPYYRRIIGGHHTT
217       Copyright  (c) 2010-2012 USC/ISI. Released under MIT license. See COPY‐
218       ING included with source for details.
219
220
221
222ABAC 0.2.2                         July 2012                         creddy(1)
Note: See TracBrowser for help on using the repository browser.