| 1 | #!/bin/sh |
|---|
| 2 | # |
|---|
| 3 | # This example demonstrates linking parameterized roles and delegating across |
|---|
| 4 | # institutions. There are 4 principals USC, ISI, John, and Maryann. USC and |
|---|
| 5 | # ISI are companies, and USC owns ISI. USC sets the policy that the manager of |
|---|
| 6 | # a principal (an employee) has the role of evaluating that employee (and no |
|---|
| 7 | # others). That policy is expressed in Credential 1. Credential 2 says that |
|---|
| 8 | # ISI's assignment of manager roles is accepted by USC. Similarly Credential 4 |
|---|
| 9 | # says that any ISI employee is a USC employee. |
|---|
| 10 | # |
|---|
| 11 | # Credential 3 encodes ISI asserting that John is the manager of Maryann and |
|---|
| 12 | # credentials 5 and 6 idicate that John and Maryann are ISI employees. |
|---|
| 13 | # |
|---|
| 14 | # the attached ./run_query script queries that USC grants John the role of evaluator |
|---|
| 15 | # of Maryann, that ISI asserts John is Maryann's manager and that John is an |
|---|
| 16 | # ISI employee. |
|---|
| 17 | |
|---|
| 18 | # evaluator_rt1 |
|---|
| 19 | |
|---|
| 20 | #[keyid:USC].role:employee <-?- [keyid:John] |
|---|
| 21 | #[keyid:USC].role:evaluatorOf([keyid:Maryann])<-?- [keyid:John] |
|---|
| 22 | |
|---|
| 23 | creddy --generate --cn ISI |
|---|
| 24 | creddy --generate --cn USC |
|---|
| 25 | creddy --generate --cn Maryann |
|---|
| 26 | creddy --generate --cn John |
|---|
| 27 | |
|---|
| 28 | isi_keyid=`creddy --keyid --cert ISI_ID.pem` |
|---|
| 29 | usc_keyid=`creddy --keyid --cert USC_ID.pem` |
|---|
| 30 | maryann_keyid=`creddy --keyid --cert Maryann_ID.pem` |
|---|
| 31 | john_keyid=`creddy --keyid --cert John_ID.pem` |
|---|
| 32 | |
|---|
| 33 | managerof_maryann="managerOf([keyid:$maryann_keyid])" |
|---|
| 34 | |
|---|
| 35 | #[keyid:USC].role:evaluatorOf([principal:?K])<-[keyid:USC].role:managerOf([principal:?K]) |
|---|
| 36 | # Credential 1 |
|---|
| 37 | creddy --attribute \ |
|---|
| 38 | --issuer USC_ID.pem --key USC_private.pem --role 'evaluatorOf([principal:?K])' \ |
|---|
| 39 | --subject-cert USC_ID.pem --subject-role 'managerOf([principal:?K])' \ |
|---|
| 40 | --out USC_evaluatorof_qK__USC_managerof_qK_attr.der |
|---|
| 41 | |
|---|
| 42 | #[keyid:USC].role:managerOf([principal:?K])<-[keyid:ISI].role:managerOf([principal:?K]) |
|---|
| 43 | # Credential 2 |
|---|
| 44 | creddy --attribute \ |
|---|
| 45 | --issuer USC_ID.pem --key USC_private.pem --role 'managerOf([principal:?K])' \ |
|---|
| 46 | --subject-cert ISI_ID.pem --subject-role 'managerOf([principal:?K])' \ |
|---|
| 47 | --out USC_managerof_qK__USC_employee_attr.der |
|---|
| 48 | |
|---|
| 49 | #[keyid:ISI].role:managerOf([keyid:Maryann]) <- [keyid:John] |
|---|
| 50 | # Credential 3 |
|---|
| 51 | creddy --attribute \ |
|---|
| 52 | --issuer ISI_ID.pem --key ISI_private.pem --role "$managerof_maryann" \ |
|---|
| 53 | --subject-cert John_ID.pem \ |
|---|
| 54 | --out ISI_manageof_Maryann__John_attr.der |
|---|
| 55 | |
|---|
| 56 | #[keyid:USC].role:employee <- [keyid:ISI].role:employee |
|---|
| 57 | # Credential 4 |
|---|
| 58 | creddy --attribute \ |
|---|
| 59 | --issuer USC_ID.pem --key USC_private.pem --role employee \ |
|---|
| 60 | --subject-cert ISI_ID.pem --subject-role employee \ |
|---|
| 61 | --out USC_employee__ISI_employee_attr.der |
|---|
| 62 | |
|---|
| 63 | #[keyid:ISI].role:employee <- [keyid:Maryann] |
|---|
| 64 | # Credential 5 |
|---|
| 65 | creddy --attribute \ |
|---|
| 66 | --issuer ISI_ID.pem --key ISI_private.pem --role employee \ |
|---|
| 67 | --subject-cert Maryann_ID.pem \ |
|---|
| 68 | --out ISI_employee__Maryann_attr.der |
|---|
| 69 | |
|---|
| 70 | #[keyid:ISI].role:employee <- [keyid:John] |
|---|
| 71 | # Credential 6 |
|---|
| 72 | creddy --attribute \ |
|---|
| 73 | --issuer ISI_ID.pem --key ISI_private.pem --role employee \ |
|---|
| 74 | --subject-cert John_ID.pem \ |
|---|
| 75 | --out ISI_employee__John_attr.der |
|---|
| 76 | |
|---|
