1 | #!/bin/sh |
---|
2 | # |
---|
3 | # This example demonstrates linking parameterized roles and delegating across |
---|
4 | # institutions. There are 4 principals USC, ISI, John, and Maryann. USC and |
---|
5 | # ISI are companies, and USC owns ISI. USC sets the policy that the manager of |
---|
6 | # a principal (an employee) has the role of evaluating that employee (and no |
---|
7 | # others). That policy is expressed in Credential 1. Credential 2 says that |
---|
8 | # ISI's assignment of manager roles is accepted by USC. Similarly Credential 4 |
---|
9 | # says that any ISI employee is a USC employee. |
---|
10 | # |
---|
11 | # Credential 3 encodes ISI asserting that John is the manager of Maryann and |
---|
12 | # credentials 5 and 6 idicate that John and Maryann are ISI employees. |
---|
13 | # |
---|
14 | # the attached ./run_query script queries that USC grants John the role of evaluator |
---|
15 | # of Maryann, that ISI asserts John is Maryann's manager and that John is an |
---|
16 | # ISI employee. |
---|
17 | |
---|
18 | # evaluator_rt1_typed |
---|
19 | |
---|
20 | #[keyid:USC].role:employee <-?- [keyid:John] |
---|
21 | #[keyid:USC].role:evaluatorOf([keyid:Maryann])<-?- [keyid:John] |
---|
22 | |
---|
23 | creddy --generate --cn ISI |
---|
24 | creddy --generate --cn USC |
---|
25 | creddy --generate --cn Maryann |
---|
26 | creddy --generate --cn John |
---|
27 | |
---|
28 | isi_keyid=`creddy --keyid --cert ISI_ID.pem` |
---|
29 | usc_keyid=`creddy --keyid --cert USC_ID.pem` |
---|
30 | maryann_keyid=`creddy --keyid --cert Maryann_ID.pem` |
---|
31 | john_keyid=`creddy --keyid --cert John_ID.pem` |
---|
32 | |
---|
33 | managerof_maryann="managerOf([keyid:$maryann_keyid])" |
---|
34 | |
---|
35 | #[keyid:USC].role:evaluatorOf([principal:?K])<-[keyid:USC].role:managerOf([principal:?K]) |
---|
36 | # Credential 1 |
---|
37 | creddy --attribute \ |
---|
38 | --issuer USC_ID.pem --key USC_private.pem --role 'evaluatorOf([principal:?K])' \ |
---|
39 | --subject-cert USC_ID.pem --subject-role 'managerOf([principal:?K])' \ |
---|
40 | --out USC_evaluatorof_qK__USC_managerof_qK_attr.der |
---|
41 | |
---|
42 | #[keyid:USC].role:managerOf([principal:?K])<-[keyid:ISI].role:managerOf([principal:?K]) |
---|
43 | # Credential 2 |
---|
44 | creddy --attribute \ |
---|
45 | --issuer USC_ID.pem --key USC_private.pem --role 'managerOf([principal:?K])' \ |
---|
46 | --subject-cert ISI_ID.pem --subject-role 'managerOf([principal:?K])' \ |
---|
47 | --out USC_managerof_qK__USC_employee_attr.der |
---|
48 | |
---|
49 | #[keyid:ISI].role:managerOf([keyid:Maryann]) <- [keyid:John] |
---|
50 | # Credential 3 |
---|
51 | creddy --attribute \ |
---|
52 | --issuer ISI_ID.pem --key ISI_private.pem --role "$managerof_maryann" \ |
---|
53 | --subject-cert John_ID.pem \ |
---|
54 | --out ISI_manageof_Maryann__John_attr.der |
---|
55 | |
---|
56 | #[keyid:USC].role:employee <- [keyid:ISI].role:employee |
---|
57 | # Credential 4 |
---|
58 | creddy --attribute \ |
---|
59 | --issuer USC_ID.pem --key USC_private.pem --role employee \ |
---|
60 | --subject-cert ISI_ID.pem --subject-role employee \ |
---|
61 | --out USC_employee__ISI_employee_attr.der |
---|
62 | |
---|
63 | #[keyid:ISI].role:employee <- [keyid:Maryann] |
---|
64 | # Credential 5 |
---|
65 | creddy --attribute \ |
---|
66 | --issuer ISI_ID.pem --key ISI_private.pem --role employee \ |
---|
67 | --subject-cert Maryann_ID.pem \ |
---|
68 | --out ISI_employee__Maryann_attr.der |
---|
69 | |
---|
70 | #[keyid:ISI].role:employee <- [keyid:John] |
---|
71 | # Credential 6 |
---|
72 | creddy --attribute \ |
---|
73 | --issuer ISI_ID.pem --key ISI_private.pem --role employee \ |
---|
74 | --subject-cert John_ID.pem \ |
---|
75 | --out ISI_employee__John_attr.der |
---|
76 | |
---|