1 | .TH creddy 1 "February 2012" "ABAC 0.2.0" |
---|
2 | |
---|
3 | .SH NAME |
---|
4 | creddy \- ABAC X.509 identity and XML attribute certificate manager (for cool kids) |
---|
5 | |
---|
6 | .SH SYNOPSIS |
---|
7 | |
---|
8 | .B creddy [ --<mode> ] --help |
---|
9 | |
---|
10 | .SH DESCRIPTION |
---|
11 | |
---|
12 | creddy is an awesome and wonderful ABAC credential management tool. It |
---|
13 | creates, verifies, and otherwise frobnicates X.509 identity and |
---|
14 | XML attribute certificates. The output of the tool is suitable for use with |
---|
15 | ABAC. Additionally, the self-signed X.509 identity certs (with |
---|
16 | associated private keys) can be used with OpenSSL. |
---|
17 | |
---|
18 | .SH OPTIONS |
---|
19 | |
---|
20 | .SS --generate |
---|
21 | Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem. |
---|
22 | .P |
---|
23 | Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems. |
---|
24 | |
---|
25 | .TP |
---|
26 | .B --cn |
---|
27 | common name used on certificate, provided as a convenience and ignored by ABAC |
---|
28 | |
---|
29 | .TP |
---|
30 | .B --validity |
---|
31 | optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days. |
---|
32 | |
---|
33 | .TP |
---|
34 | .B --out |
---|
35 | optional output directory. Must exist before invoking the command. |
---|
36 | |
---|
37 | .SS --verify |
---|
38 | verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert |
---|
39 | |
---|
40 | .TP |
---|
41 | .B --cert |
---|
42 | self-signed X.509 identity cert |
---|
43 | |
---|
44 | .TP |
---|
45 | .B --attrcert |
---|
46 | optional XML attribute cert. If omitted the self-signature of the ID cert is checked |
---|
47 | |
---|
48 | .SS --keyid |
---|
49 | extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert |
---|
50 | |
---|
51 | .TP |
---|
52 | .B --cert |
---|
53 | X.509 identity cert |
---|
54 | |
---|
55 | .SS --attribute |
---|
56 | generate a XML attribute cert representing an ABAC credential |
---|
57 | |
---|
58 | An attribute cert has one or more subjects. A single subject may be defined without a role. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-role. Providing multiple subjects creates an intersection certificate. |
---|
59 | |
---|
60 | .TP |
---|
61 | .B --issuer |
---|
62 | X.509 identity cert issuing the credential |
---|
63 | |
---|
64 | .TP |
---|
65 | .B --key |
---|
66 | private key associated with issuer cert |
---|
67 | |
---|
68 | .TP |
---|
69 | .B --role |
---|
70 | role in issuer's local attribute space |
---|
71 | |
---|
72 | .TP |
---|
73 | .B --subject-cert |
---|
74 | X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject. |
---|
75 | |
---|
76 | .TP |
---|
77 | .B --subject-id |
---|
78 | public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject. |
---|
79 | |
---|
80 | .TP |
---|
81 | .B --subject-role |
---|
82 | optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2. |
---|
83 | |
---|
84 | .TP |
---|
85 | .B --validity |
---|
86 | optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days. |
---|
87 | |
---|
88 | .TP |
---|
89 | .B --out |
---|
90 | where to save the XML attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.xml. |
---|
91 | |
---|
92 | |
---|
93 | .SS --roles |
---|
94 | Extract the roles from an XML attribute cert |
---|
95 | |
---|
96 | .TP |
---|
97 | .B --cert |
---|
98 | XML attribute cert containing ABAC roles |
---|
99 | |
---|
100 | .SS --display |
---|
101 | Displays metadata from an X.509 identity or XML attribute cert |
---|
102 | |
---|
103 | .TP |
---|
104 | .B --show=[issuer,..,all] |
---|
105 | comma-separated list of: |
---|
106 | |
---|
107 | issuer DN of issuer |
---|
108 | subject DN of subject |
---|
109 | validity validity period |
---|
110 | roles attribute cert roles (fails silently on ID certs) |
---|
111 | all all of the above |
---|
112 | |
---|
113 | .TP |
---|
114 | .B --cert |
---|
115 | X.509 identity or XML attribute cert |
---|
116 | |
---|
117 | .SS --version |
---|
118 | display ABAC/creddy version |
---|
119 | |
---|
120 | .SH EXAMPLES |
---|
121 | |
---|
122 | .TP |
---|
123 | Generate ID cert and private key pairs: |
---|
124 | |
---|
125 | .B creddy --generate --cn Alice |
---|
126 | .br |
---|
127 | .B creddy --generate --cn Bob |
---|
128 | |
---|
129 | .TP |
---|
130 | Issue the credential Alice.friend <- Bob |
---|
131 | |
---|
132 | creddy --attribute \\ |
---|
133 | --issuer Alice_ID.pem --key Alice_private.pem \\ |
---|
134 | --role friend --subject-cert Bob_ID.pem \\ |
---|
135 | --out Alice_friend__Bob_attr.der |
---|
136 | |
---|
137 | .SH AUTHOR |
---|
138 | |
---|
139 | Written by Mike Ryan <mikeryan@ISI.EDU> |
---|
140 | Edited by Mei-Hui Su <mei@ISI.EDU> |
---|
141 | |
---|
142 | .SH BUGS |
---|
143 | |
---|
144 | None yet. Report to http://abac.deterlab.net/ |
---|
145 | |
---|
146 | .SH COPYRIGHT |
---|
147 | |
---|
148 | Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source for details. |
---|