| 1 | #!/bin/sh |
|---|
| 2 | |
|---|
| 3 | rm -rf *.der *.pem |
|---|
| 4 | |
|---|
| 5 | # |
|---|
| 6 | # This example demonstrates intersections. An intersection is a logical and of |
|---|
| 7 | # roles or osets. An intersection succeeds if the principal is in the |
|---|
| 8 | # intersection of the sets defined by the roles. |
|---|
| 9 | # |
|---|
| 10 | # The policy set by Acme is that a character must both a preferred customer and |
|---|
| 11 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
|---|
| 12 | # specified by a role. |
|---|
| 13 | # |
|---|
| 14 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
|---|
| 15 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
|---|
| 16 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
|---|
| 17 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
|---|
| 18 | # Coyote as a Warner Brothers character. |
|---|
| 19 | # |
|---|
| 20 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
|---|
| 21 | #AND a WarnerBros character. In this example, the following query will be |
|---|
| 22 | #successful: |
|---|
| 23 | # |
|---|
| 24 | # Acme.buy_rockets <-?- Coyote |
|---|
| 25 | # |
|---|
| 26 | #The following query will fail (because Batman does not have the |
|---|
| 27 | #attribute WarnerBros.character): |
|---|
| 28 | # |
|---|
| 29 | # Acme.buy_rockets <-?- Batman |
|---|
| 30 | # |
|---|
| 31 | # The attached ./rr file carries out these queries. As well as 2 queries for |
|---|
| 32 | # non-existant certificates (which fail). |
|---|
| 33 | # |
|---|
| 34 | #Acme.buy_rockets <- Acme.preferred_customer & WarnerBros.character |
|---|
| 35 | #Acme.preferred_customer <- Coyote |
|---|
| 36 | #Acme.preferred_customer <- Batman |
|---|
| 37 | #WarnerBros.character <- Coyote |
|---|
| 38 | # |
|---|
| 39 | |
|---|
| 40 | creddy --generate --cn Acme |
|---|
| 41 | creddy --generate --cn WarnerBros |
|---|
| 42 | creddy --generate --cn Coyote |
|---|
| 43 | creddy --generate --cn Batman |
|---|
| 44 | |
|---|
| 45 | #[keyid:Acme].role:buy_rockets <- [keyid:Acme].role:preferred_customer & [keyid:WarnerBros].role:charater |
|---|
| 46 | # Credential 1 |
|---|
| 47 | creddy --attribute \ |
|---|
| 48 | --issuer Acme_ID.pem --key Acme_private.pem --role buy_rockets \ |
|---|
| 49 | --subject-cert Acme_ID.pem --subject-role preferred_customer \ |
|---|
| 50 | --subject-cert WarnerBros_ID.pem --subject-role character \ |
|---|
| 51 | --out Acme_buy_rockets__Acme_preferred_customer_and_WarnerBros_character_attr.der |
|---|
| 52 | |
|---|
| 53 | #[keyid:Acme].role:preferred_customer <- [keyid:Coyote] |
|---|
| 54 | # Credential 2 |
|---|
| 55 | creddy --attribute \ |
|---|
| 56 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 57 | --subject-cert Coyote_ID.pem \ |
|---|
| 58 | --out Acme_preferred_customer__Coyote_attr.der |
|---|
| 59 | |
|---|
| 60 | #[keyid:Acme].role:preferred_customer <- [keyid:Batman] |
|---|
| 61 | # Credential 3 |
|---|
| 62 | creddy --attribute \ |
|---|
| 63 | --issuer Acme_ID.pem --key Acme_private.pem --role preferred_customer \ |
|---|
| 64 | --subject-cert Batman_ID.pem \ |
|---|
| 65 | --out Acme_preferred_customer__Batman_attr.der |
|---|
| 66 | |
|---|
| 67 | #[keyid:WarnerBros].role:character <- [keyid:Coyote] |
|---|
| 68 | # Credential 4 |
|---|
| 69 | creddy --attribute \ |
|---|
| 70 | --issuer WarnerBros_ID.pem --key WarnerBros_private.pem --role character \ |
|---|
| 71 | --subject-cert Coyote_ID.pem \ |
|---|
| 72 | --out WarnerBros_character__Coyote_attr.der |
|---|
