1 | .TH creddy 1 "July 2012" "ABAC 0.2.2" |
---|
2 | |
---|
3 | .SH NAME |
---|
4 | creddy \- ABAC X.509 identity and attribute certificate manager |
---|
5 | |
---|
6 | .SH SYNOPSIS |
---|
7 | |
---|
8 | .B creddy [ --<mode> ] --help |
---|
9 | |
---|
10 | .SH DESCRIPTION |
---|
11 | |
---|
12 | creddy is an awesome and wonderful ABAC credential management tool. It |
---|
13 | creates, verifies, and otherwise frobnicates X.509 identity and |
---|
14 | attribute certificates. The output of the tool is suitable for use with |
---|
15 | ABAC. Additionally, the self-signed X.509 identity certs (with |
---|
16 | associated private keys) can be used with OpenSSL |
---|
17 | |
---|
18 | .SH OPTIONS |
---|
19 | |
---|
20 | .SS --generate |
---|
21 | Generate an X.509 identity cert and private key pair unless an external private key is specified. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_private.pem |
---|
22 | |
---|
23 | .P |
---|
24 | Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems |
---|
25 | |
---|
26 | .TP |
---|
27 | .B --cn |
---|
28 | common name used on certificate, provided as a convenience and ignored by ABAC |
---|
29 | |
---|
30 | .TP |
---|
31 | .B --validity |
---|
32 | optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days |
---|
33 | |
---|
34 | .TP |
---|
35 | .B --out |
---|
36 | optional output directory. Must exist before invoking the command |
---|
37 | |
---|
38 | .TP |
---|
39 | .B --key |
---|
40 | optional external private key to be use for this identity |
---|
41 | |
---|
42 | .TP |
---|
43 | .B --p |
---|
44 | optional passphrase flag if the external private key supplied is encrypted. If the passphrase |
---|
45 | is saved in a file 'pfile', then --p=pfile |
---|
46 | |
---|
47 | .SS --verify |
---|
48 | verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert |
---|
49 | |
---|
50 | .TP |
---|
51 | .B --cert |
---|
52 | self-signed X.509 identity cert |
---|
53 | |
---|
54 | .TP |
---|
55 | .B --attrcert |
---|
56 | optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked |
---|
57 | |
---|
58 | .SS --keyid |
---|
59 | extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert |
---|
60 | |
---|
61 | .TP |
---|
62 | .B --cert |
---|
63 | X.509 identity cert |
---|
64 | |
---|
65 | .SS --attribute |
---|
66 | generate an X.509 attribute cert representing an ABAC credential |
---|
67 | |
---|
68 | An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate |
---|
69 | |
---|
70 | .TP |
---|
71 | .B --issuer |
---|
72 | X.509 identity cert issuing the credential |
---|
73 | |
---|
74 | .TP |
---|
75 | .B --key |
---|
76 | private key associated with issuer cert |
---|
77 | |
---|
78 | .TP |
---|
79 | .B --p |
---|
80 | optional passphrase if the private key is encrypted |
---|
81 | |
---|
82 | .TP |
---|
83 | .B --role |
---|
84 | role in issuer's local attribute space |
---|
85 | |
---|
86 | .TP |
---|
87 | .B --oset |
---|
88 | o-set in issuer's local attribute space |
---|
89 | |
---|
90 | .TP |
---|
91 | .B --subject-cert |
---|
92 | X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject |
---|
93 | |
---|
94 | .TP |
---|
95 | .B --subject-id |
---|
96 | public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject |
---|
97 | |
---|
98 | .TP |
---|
99 | .B --subject-role |
---|
100 | optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2 |
---|
101 | |
---|
102 | .TP |
---|
103 | .B --subject-oset |
---|
104 | optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 <- B.o2 |
---|
105 | |
---|
106 | .TP |
---|
107 | .B --subject-link |
---|
108 | optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2 |
---|
109 | |
---|
110 | .TP |
---|
111 | .B --subject-obj |
---|
112 | optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2 |
---|
113 | |
---|
114 | .TP |
---|
115 | .B --validity |
---|
116 | optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days |
---|
117 | |
---|
118 | .TP |
---|
119 | .B --out |
---|
120 | where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der |
---|
121 | |
---|
122 | .SS --keycheck |
---|
123 | Do a sanity check on a private key file |
---|
124 | |
---|
125 | .TP |
---|
126 | .B --key |
---|
127 | private key to be used |
---|
128 | |
---|
129 | .TP |
---|
130 | .B --p |
---|
131 | passphrase file to be used |
---|
132 | |
---|
133 | .SS --roles |
---|
134 | Extract the roles from an X.509 attribute cert |
---|
135 | |
---|
136 | .TP |
---|
137 | .B --cert |
---|
138 | X.509 attribute cert containing ABAC roles |
---|
139 | |
---|
140 | .SS --osets |
---|
141 | Extract the osets from an X.509 attribute cert |
---|
142 | |
---|
143 | .TP |
---|
144 | .B --cert |
---|
145 | X.509 attribute cert containing ABACosets |
---|
146 | |
---|
147 | .SS --display |
---|
148 | Displays metadata from an X.509 identity or attribute cert |
---|
149 | |
---|
150 | .TP |
---|
151 | .B --show=[issuer,..,all] |
---|
152 | comma-separated list of: |
---|
153 | |
---|
154 | issuer DN of issuer |
---|
155 | subject DN of subject |
---|
156 | validity validity period |
---|
157 | roles attribute cert roles (fails silently on ID certs) |
---|
158 | osets attribute cert osets (fails silently on ID certs) |
---|
159 | all all of the above |
---|
160 | |
---|
161 | .TP |
---|
162 | .B --cert |
---|
163 | X.509 identity or attribute cert |
---|
164 | |
---|
165 | .SS --version |
---|
166 | display ABAC/creddy version |
---|
167 | |
---|
168 | .SH EXAMPLES |
---|
169 | |
---|
170 | .TP |
---|
171 | Generate ID cert and private key pairs: |
---|
172 | |
---|
173 | .B creddy --generate --cn Alice |
---|
174 | .br |
---|
175 | .B creddy --generate --cn Bob |
---|
176 | |
---|
177 | .TP |
---|
178 | Issue the credential Alice.friend <- Bob |
---|
179 | |
---|
180 | creddy --attribute \\ |
---|
181 | --issuer Alice_ID.pem --key Alice_private.pem \\ |
---|
182 | --role friend --subject-cert Bob_ID.pem \\ |
---|
183 | --out Alice_friend__Bob_attr.der |
---|
184 | |
---|
185 | .SH AUTHOR |
---|
186 | |
---|
187 | Written by Mike Ryan |
---|
188 | .br |
---|
189 | Updated by Mei-Hui Su <mei@ISI.EDU>. |
---|
190 | |
---|
191 | .SH BUGS |
---|
192 | |
---|
193 | None yet. Report to http://abac.deterlab.net/ |
---|
194 | |
---|
195 | .SH COPYRIGHT |
---|
196 | |
---|
197 | Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPYING included with source for details. |
---|