source: doc/creddy.1 @ fc9548a

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml
Last change on this file since fc9548a was 461541a, checked in by Mei <mei@…>, 12 years ago

1) updated original rt0 to remove libstrongswan dependency

a) identity credential being made/accessed with openssl api calls

(X509/EVP_PKEY pem)

b) attribute credential being made/access via xmlsec1 (custom XML

structure)

2) refactored libcreddy into libabac and now one ABAC namespace for

libabac

3) added attribute_rule suboption to creddy's attribute as another way

to insert access rule

4) added some regression tests into example directory
5) updated some docs.

  • Property mode set to 100644
File size: 4.0 KB
RevLine 
[ab52de1]1.TH creddy 1 "February 2012" "ABAC 0.2.0"
[b02d665]2
3.SH NAME
[461541a]4creddy \- ABAC X.509 identity and XML attribute certificate manager (for cool kids)
[b02d665]5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
[461541a]14XML attribute certificates. The output of the tool is suitable for use with
[b02d665]15ABAC. Additionally, the self-signed X.509 identity certs (with
16associated private keys) can be used with OpenSSL.
17
18.SH OPTIONS
19
20.SS --generate
21Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.
22.P
23Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.
24
25.TP
26.B --cn
27common name used on certificate, provided as a convenience and ignored by ABAC
28
29.TP
30.B --validity
[d4961ff]31optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days.
32
33.TP
34.B --out
35optional output directory. Must exist before invoking the command.
[b02d665]36
37.SS --verify
38verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
39
40.TP
41.B --cert
42self-signed X.509 identity cert
43
44.TP
45.B --attrcert
[461541a]46optional XML attribute cert. If omitted the self-signature of the ID cert is checked
[b02d665]47
48.SS --keyid
49extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
50
51.TP
52.B --cert
53X.509 identity cert
54
55.SS --attribute
[461541a]56generate a XML attribute cert representing an ABAC credential
[b02d665]57
[7f30af7]58An attribute cert has one or more subjects. A single subject may be defined without a role. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-role. Providing multiple subjects creates an intersection certificate.
59
[b02d665]60.TP
61.B --issuer
62X.509 identity cert issuing the credential
63
64.TP
65.B --key
66private key associated with issuer cert
67
68.TP
69.B --role
70role in issuer's local attribute space
71
72.TP
73.B --subject-cert
[7f30af7]74X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject.
[b02d665]75
76.TP
77.B --subject-id
[7f30af7]78public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.
[b02d665]79
80.TP
81.B --subject-role
[19be896]82optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
[b02d665]83
84.TP
85.B --validity
[d4961ff]86optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days.
[b02d665]87
88.TP
89.B --out
[461541a]90where to save the XML attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.xml.
[b02d665]91
[7f30af7]92
[b02d665]93.SS --roles
[461541a]94Extract the roles from an XML attribute cert
[b02d665]95
96.TP
97.B --cert
[461541a]98XML attribute cert containing ABAC roles
[b02d665]99
[8fc9d72]100.SS --display
[461541a]101Displays metadata from an X.509 identity or XML attribute cert
[8fc9d72]102
103.TP
104.B --show=[issuer,..,all]
105comma-separated list of:
106
107    issuer      DN of issuer
108    subject     DN of subject
109    validity    validity period
110    roles       attribute cert roles (fails silently on ID certs)
111    all         all of the above
112
113.TP
114.B --cert
[461541a]115X.509 identity or XML attribute cert
[8fc9d72]116
[19be896]117.SS --version
118display ABAC/creddy version
119
[b02d665]120.SH EXAMPLES
121
122.TP
123Generate ID cert and private key pairs:
124
125.B creddy --generate --cn Alice
126.br
127.B creddy --generate --cn Bob
128
129.TP
130Issue the credential Alice.friend <- Bob
131
132creddy --attribute \\
133       --issuer Alice_ID.pem --key Alice_private.pem \\
134       --role friend --subject-cert Bob_ID.pem \\
135       --out Alice_friend__Bob_attr.der
136
137.SH AUTHOR
138
[461541a]139Written by Mike Ryan <mikeryan@ISI.EDU>
140Edited by Mei-Hui Su <mei@ISI.EDU>
[b02d665]141
142.SH BUGS
143
144None yet. Report to http://abac.deterlab.net/
145
146.SH COPYRIGHT
147
[461541a]148Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.