source: doc/creddy.1 @ da78b95

mei_rt2mei_rt2_fix_1
Last change on this file since da78b95 was 549656e, checked in by Mei <mei@…>, 12 years ago

1) modify some doc files
  • Property mode set to 100644
File size: 4.8 KB
Line 
1.TH creddy 1 "July 2012" "ABAC 2.1.0"
2
3.SH NAME
4creddy \- ABAC X.509 identity and attribute certificate manager
5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
14attribute certificates. The output of the tool is suitable for use with
15ABAC. Additionally, the self-signed X.509 identity certs (with
16associated private keys) can be used with OpenSSL.
17
18.SH OPTIONS
19
20.SS --generate
21Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.
22.P
23Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.
24
25.TP
26.B --cn
27common name used on certificate, provided as a convenience and ignored by ABAC
28
29.TP
30.B --validity
31optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days.
32
33.TP
34.B --out
35optional output directory. Must exist before invoking the command.
36
37.SS --verify
38verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
39
40.TP
41.B --cert
42self-signed X.509 identity cert
43
44.TP
45.B --attrcert
46optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked
47
48.SS --keyid
49extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
50
51.TP
52.B --cert
53X.509 identity cert
54
55.SS --attribute
56generate an X.509 attribute cert representing an ABAC credential
57
58An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate.
59
60.TP
61.B --issuer
62X.509 identity cert issuing the credential
63
64.TP
65.B --key
66private key associated with issuer cert
67
68.TP
69.B --role
70role in issuer's local attribute space
71
72.TP
73.B --oset
74o-set in issuer's local attribute space
75
76.TP
77.B --subject-cert
78X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject.
79
80.TP
81.B --subject-id
82public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.
83
84.TP
85.B --subject-role
86optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
87
88.TP
89.B --subject-oset
90optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 <- B.o2.
91
92.TP
93.B --subject-link
94optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2.
95
96.TP
97.B --subject-obj
98optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2.
99
100.TP
101.B --validity
102optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days.
103
104.TP
105.B --out
106where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der.
107
108
109.SS --roles
110Extract the roles from an X.509 attribute cert
111
112.SS --osets
113Extract the osets from an X.509 attribute cert
114
115.TP
116.B --cert
117X.509 attribute cert containing ABAC roles
118
119.SS --display
120Displays metadata from an X.509 identity or attribute cert
121
122.TP
123.B --show=[issuer,..,all]
124comma-separated list of:
125
126    issuer      DN of issuer
127    subject     DN of subject
128    validity    validity period
129    roles       attribute cert roles (fails silently on ID certs)
130    osets       attribute cert osets (fails silently on ID certs)
131    all         all of the above
132
133.TP
134.B --cert
135X.509 identity or attribute cert
136
137.SS --version
138display ABAC/creddy version
139
140.SH EXAMPLES
141
142.TP
143Generate ID cert and private key pairs:
144
145.B creddy --generate --cn Alice
146.br
147.B creddy --generate --cn Bob
148
149.TP
150Issue the credential Alice.friend <- Bob
151
152creddy --attribute \\
153       --issuer Alice_ID.pem --key Alice_private.pem \\
154       --role friend --subject-cert Bob_ID.pem \\
155       --out Alice_friend__Bob_attr.der
156
157.SH AUTHOR
158
159Written by Mike Ryan
160Updated by Mei-Hui Su <mei@ISI.EDU>. 
161
162.SH BUGS
163
164None yet. Report to http://abac.deterlab.net/
165
166.SH COPYRIGHT
167
168Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.