source: doc/creddy.1 @ 7751094

mei_rt2
Last change on this file since 7751094 was c67bfa3, checked in by Mei <mei@…>, 12 years ago

1) tinker with documentations

  • Property mode set to 100644
File size: 5.4 KB
RevLine 
[ba6027a]1.TH creddy 1 "July 2012" "ABAC 0.2.2"
[b02d665]2
3.SH NAME
[549656e]4creddy \- ABAC X.509 identity and attribute certificate manager
[b02d665]5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
14attribute certificates. The output of the tool is suitable for use with
15ABAC. Additionally, the self-signed X.509 identity certs (with
[c67bfa3]16associated private keys) can be used with OpenSSL. Although creddy
17only generates self-signed identity, it can verify and sanity check
18none self-signed identity certs
[b02d665]19
20.SH OPTIONS
21
22.SS --generate
[6244e28]23Generate an X.509 identity cert and private key pair unless an external private key is specified. The certificate is saved in ${cn}_ID.pem and the generated private key is saved in ${cn}_private.pem
[ba6027a]24
[b02d665]25.P
[ba6027a]26Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems
[b02d665]27
28.TP
29.B --cn
30common name used on certificate, provided as a convenience and ignored by ABAC
31
32.TP
33.B --validity
[ba6027a]34optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days
[d4961ff]35
36.TP
37.B --out
[ba6027a]38optional output directory. Must exist before invoking the command
39
40.TP
41.B --key
42optional external private key to be use for this identity
43
44.TP
45.B --p
46optional passphrase flag if the external private key supplied is encrypted. If the passphrase
47is saved in a file 'pfile', then --p=pfile
[b02d665]48
49.SS --verify
[c67bfa3]50verify the signature on a (self-signed and none self-signed) X.509 identity cert or an X.509 attribute cert and the validity of the cert
[b02d665]51
52.TP
53.B --cert
[c67bfa3]54X.509 identity cert
[b02d665]55
56.TP
57.B --attrcert
[c67bfa3]58optional X.509 attribute cert.
[b02d665]59
60.SS --keyid
61extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
62
63.TP
64.B --cert
65X.509 identity cert
66
67.SS --attribute
68generate an X.509 attribute cert representing an ABAC credential
69
[ba6027a]70An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate
[7f30af7]71
[b02d665]72.TP
73.B --issuer
74X.509 identity cert issuing the credential
75
76.TP
77.B --key
78private key associated with issuer cert
79
[ba6027a]80.TP
81.B --p
82optional passphrase if the private key is encrypted
83
[b02d665]84.TP
85.B --role
86role in issuer's local attribute space
87
[9806e76]88.TP
89.B --oset
90o-set in issuer's local attribute space
91
[b02d665]92.TP
93.B --subject-cert
[ba6027a]94X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject
[b02d665]95
96.TP
97.B --subject-id
[ba6027a]98public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject
[b02d665]99
100.TP
101.B --subject-role
[ba6027a]102optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2
[b02d665]103
[9806e76]104.TP
105.B --subject-oset
[ba6027a]106optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 <- B.o2
[2efdff5]107
108.TP
109.B --subject-link
[ba6027a]110optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2
[9806e76]111
112.TP
113.B --subject-obj
[ba6027a]114optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2
[9806e76]115
[b02d665]116.TP
117.B --validity
[ba6027a]118optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days
[b02d665]119
120.TP
121.B --out
[ba6027a]122where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der
123
124.SS --keycheck
125Do a sanity check on a private key file
126
127.TP
128.B --key
129private key to be used
[b02d665]130
[ba6027a]131.TP
132.B --p
[7c5d673]133passphrase file to be used
[7f30af7]134
[b02d665]135.SS --roles
136Extract the roles from an X.509 attribute cert
137
[e205b49]138.TP
139.B --cert
140X.509 attribute cert containing ABAC roles
141
[9806e76]142.SS --osets
143Extract the osets from an X.509 attribute cert
144
[b02d665]145.TP
146.B --cert
[e205b49]147X.509 attribute cert containing ABACosets
[b02d665]148
[8fc9d72]149.SS --display
150Displays metadata from an X.509 identity or attribute cert
151
152.TP
153.B --show=[issuer,..,all]
154comma-separated list of:
155
156    issuer      DN of issuer
157    subject     DN of subject
158    validity    validity period
159    roles       attribute cert roles (fails silently on ID certs)
[9806e76]160    osets       attribute cert osets (fails silently on ID certs)
[8fc9d72]161    all         all of the above
162
163.TP
164.B --cert
165X.509 identity or attribute cert
166
[19be896]167.SS --version
168display ABAC/creddy version
169
[b02d665]170.SH EXAMPLES
171
172.TP
173Generate ID cert and private key pairs:
174
175.B creddy --generate --cn Alice
176.br
177.B creddy --generate --cn Bob
178
179.TP
180Issue the credential Alice.friend <- Bob
181
182creddy --attribute \\
183       --issuer Alice_ID.pem --key Alice_private.pem \\
184       --role friend --subject-cert Bob_ID.pem \\
185       --out Alice_friend__Bob_attr.der
186
187.SH AUTHOR
188
[2efdff5]189Written by Mike Ryan
[c46b2fe]190.br
[2efdff5]191Updated by Mei-Hui Su <mei@ISI.EDU>. 
[b02d665]192
193.SH BUGS
194
195None yet. Report to http://abac.deterlab.net/
196
197.SH COPYRIGHT
198
[2efdff5]199Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.