source: doc/creddy.1 @ 9248b00

mei_rt2mei_rt2_fix_1
Last change on this file since 9248b00 was e205b49, checked in by Mei <mei@…>, 12 years ago

1) update more documentation

  • Property mode set to 100644
File size: 5.3 KB
RevLine 
[ba6027a]1.TH creddy 1 "July 2012" "ABAC 0.2.2"
[b02d665]2
3.SH NAME
[549656e]4creddy \- ABAC X.509 identity and attribute certificate manager
[b02d665]5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
14attribute certificates. The output of the tool is suitable for use with
15ABAC. Additionally, the self-signed X.509 identity certs (with
[ba6027a]16associated private keys) can be used with OpenSSL
[b02d665]17
18.SH OPTIONS
19
20.SS --generate
[ba6027a]21Generate an X.509 identity cert and private key pair unless an external private key is specified. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_private.pem
22
[b02d665]23.P
[ba6027a]24Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems
[b02d665]25
26.TP
27.B --cn
28common name used on certificate, provided as a convenience and ignored by ABAC
29
30.TP
31.B --validity
[ba6027a]32optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days
[d4961ff]33
34.TP
35.B --out
[ba6027a]36optional output directory. Must exist before invoking the command
37
38.TP
39.B --key
40optional external private key to be use for this identity
41
42.TP
43.B --p
44optional passphrase flag if the external private key supplied is encrypted. If the passphrase
45is saved in a file 'pfile', then --p=pfile
[b02d665]46
47.SS --verify
48verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
49
50.TP
51.B --cert
52self-signed X.509 identity cert
53
54.TP
55.B --attrcert
56optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked
57
58.SS --keyid
59extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
60
61.TP
62.B --cert
63X.509 identity cert
64
65.SS --attribute
66generate an X.509 attribute cert representing an ABAC credential
67
[ba6027a]68An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate
[7f30af7]69
[b02d665]70.TP
71.B --issuer
72X.509 identity cert issuing the credential
73
74.TP
75.B --key
76private key associated with issuer cert
77
[ba6027a]78.TP
79.B --p
80optional passphrase if the private key is encrypted
81
[b02d665]82.TP
83.B --role
84role in issuer's local attribute space
85
[9806e76]86.TP
87.B --oset
88o-set in issuer's local attribute space
89
[b02d665]90.TP
91.B --subject-cert
[ba6027a]92X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject
[b02d665]93
94.TP
95.B --subject-id
[ba6027a]96public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject
[b02d665]97
98.TP
99.B --subject-role
[ba6027a]100optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2
[b02d665]101
[9806e76]102.TP
103.B --subject-oset
[ba6027a]104optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 <- B.o2
[2efdff5]105
106.TP
107.B --subject-link
[ba6027a]108optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2
[9806e76]109
110.TP
111.B --subject-obj
[ba6027a]112optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2
[9806e76]113
[b02d665]114.TP
115.B --validity
[ba6027a]116optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days
[b02d665]117
118.TP
119.B --out
[ba6027a]120where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der
121
122.SS --keycheck
123Do a sanity check on a private key file
124
125.TP
126.B --key
127private key to be used
[b02d665]128
[ba6027a]129.TP
130.B --p
[7c5d673]131passphrase file to be used
[7f30af7]132
[b02d665]133.SS --roles
134Extract the roles from an X.509 attribute cert
135
[e205b49]136.TP
137.B --cert
138X.509 attribute cert containing ABAC roles
139
[9806e76]140.SS --osets
141Extract the osets from an X.509 attribute cert
142
[b02d665]143.TP
144.B --cert
[e205b49]145X.509 attribute cert containing ABACosets
[b02d665]146
[8fc9d72]147.SS --display
148Displays metadata from an X.509 identity or attribute cert
149
150.TP
151.B --show=[issuer,..,all]
152comma-separated list of:
153
154    issuer      DN of issuer
155    subject     DN of subject
156    validity    validity period
157    roles       attribute cert roles (fails silently on ID certs)
[9806e76]158    osets       attribute cert osets (fails silently on ID certs)
[8fc9d72]159    all         all of the above
160
161.TP
162.B --cert
163X.509 identity or attribute cert
164
[19be896]165.SS --version
166display ABAC/creddy version
167
[b02d665]168.SH EXAMPLES
169
170.TP
171Generate ID cert and private key pairs:
172
173.B creddy --generate --cn Alice
174.br
175.B creddy --generate --cn Bob
176
177.TP
178Issue the credential Alice.friend <- Bob
179
180creddy --attribute \\
181       --issuer Alice_ID.pem --key Alice_private.pem \\
182       --role friend --subject-cert Bob_ID.pem \\
183       --out Alice_friend__Bob_attr.der
184
185.SH AUTHOR
186
[2efdff5]187Written by Mike Ryan
188Updated by Mei-Hui Su <mei@ISI.EDU>. 
[b02d665]189
190.SH BUGS
191
192None yet. Report to http://abac.deterlab.net/
193
194.SH COPYRIGHT
195
[2efdff5]196Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.