source: doc/creddy.1 @ 5f551d3

mei_rt2mei_rt2_fix_1
Last change on this file since 5f551d3 was 9806e76, checked in by Mei <mei@…>, 13 years ago

1) add handling for typed anonymous term, [int:?]
2) make a pass through abac/doc
3) fix up creddy to take oset option at different calls

  • Property mode set to 100644
File size: 4.6 KB
Line 
1.TH creddy 1 "September 2010" "ABAC 0.1.2"
2
3.SH NAME
4creddy \- ABAC X.509 identity and attribute certificate manager (for cool kids)
5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
14attribute certificates. The output of the tool is suitable for use with
15ABAC. Additionally, the self-signed X.509 identity certs (with
16associated private keys) can be used with OpenSSL.
17
18.SH OPTIONS
19
20.SS --generate
21Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.
22.P
23Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.
24
25.TP
26.B --cn
27common name used on certificate, provided as a convenience and ignored by ABAC
28
29.TP
30.B --validity
31optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days.
32
33.TP
34.B --out
35optional output directory. Must exist before invoking the command.
36
37.SS --verify
38verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
39
40.TP
41.B --cert
42self-signed X.509 identity cert
43
44.TP
45.B --attrcert
46optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked
47
48.SS --keyid
49extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
50
51.TP
52.B --cert
53X.509 identity cert
54
55.SS --attribute
56generate an X.509 attribute cert representing an ABAC credential
57
58An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,osetj} or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate.
59
60.TP
61.B --issuer
62X.509 identity cert issuing the credential
63
64.TP
65.B --key
66private key associated with issuer cert
67
68.TP
69.B --role
70role in issuer's local attribute space
71
72.TP
73.B --oset
74o-set in issuer's local attribute space
75
76.TP
77.B --subject-cert
78X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject.
79
80.TP
81.B --subject-id
82public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.
83
84.TP
85.B --subject-role
86optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
87
88.TP
89.B --subject-oset
90optional oset in subject's local attribute space. If the issuer is A, role is o1, subject is B, and subject-o2 is r2, the attribute issued will be A.o1 <- B.o2.
91
92.TP
93.B --subject-obj
94optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2.
95
96.TP
97.B --validity
98optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days.
99
100.TP
101.B --out
102where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der.
103
104
105.SS --roles
106Extract the roles from an X.509 attribute cert
107
108.SS --osets
109Extract the osets from an X.509 attribute cert
110
111.TP
112.B --cert
113X.509 attribute cert containing ABAC roles
114
115.SS --display
116Displays metadata from an X.509 identity or attribute cert
117
118.TP
119.B --show=[issuer,..,all]
120comma-separated list of:
121
122    issuer      DN of issuer
123    subject     DN of subject
124    validity    validity period
125    roles       attribute cert roles (fails silently on ID certs)
126    osets       attribute cert osets (fails silently on ID certs)
127    all         all of the above
128
129.TP
130.B --cert
131X.509 identity or attribute cert
132
133.SS --version
134display ABAC/creddy version
135
136.SH EXAMPLES
137
138.TP
139Generate ID cert and private key pairs:
140
141.B creddy --generate --cn Alice
142.br
143.B creddy --generate --cn Bob
144
145.TP
146Issue the credential Alice.friend <- Bob
147
148creddy --attribute \\
149       --issuer Alice_ID.pem --key Alice_private.pem \\
150       --role friend --subject-cert Bob_ID.pem \\
151       --out Alice_friend__Bob_attr.der
152
153.SH AUTHOR
154
155Written by Mike Ryan <mikeryan@ISI.EDU>. Like what you see? Buy me a beer!
156
157.SH BUGS
158
159None yet. Report to http://abac.deterlab.net/
160
161.SH COPYRIGHT
162
163Copyright (c) 2010-2011 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.