creddy(1) creddy(1) NNAAMMEE creddy - ABAC X.509 identity and attribute certificate manager SSYYNNOOPPSSIISS ccrreeddddyy [[ ----<> ]] ----hheellpp DDEESSCCRRIIPPTTIIOONN creddy is an awesome and wonderful ABAC credential management tool. It creates, verifies, and otherwise frobnicates X.509 identity and attribute certificates. The output of the tool is suitable for use with ABAC. Additionally, the self-signed X.509 identity certs (with associ‐ ated private keys) can be used with OpenSSL OOPPTTIIOONNSS ----ggeenneerraattee Generate an X.509 identity cert and private key pair unless an external private key is specified. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_private.pem Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems ----ccnn common name used on certificate, provided as a convenience and ignored by ABAC ----vvaalliiddiittyy optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days ----oouutt optional output directory. Must exist before invoking the com‐ mand ----kkeeyy optional external private key to be use for this identity ----pp optional passphrase flag if the external private key supplied is encrypted. If the passphrase is saved in a file 'pfile', then --p=pfile ----vveerriiffyy verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert ----cceerrtt self-signed X.509 identity cert ----aattttrrcceerrtt optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked ----kkeeyyiidd extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert ----cceerrtt X.509 identity cert ----aattttrriibbuuttee generate an X.509 attribute cert representing an ABAC credential An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate ----iissssuueerr X.509 identity cert issuing the credential ----kkeeyy private key associated with issuer cert ----pp optional passphrase if the private key is encrypted ----rroollee role in issuer's local attribute space ----oosseett o-set in issuer's local attribute space ----ssuubbjjeecctt--cceerrtt X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject ----ssuubbjjeecctt--iidd public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --sub‐ ject-cert and should only be used once per subject ----ssuubbjjeecctt--rroollee optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2 ----ssuubbjjeecctt--oosseett optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 <- B.o2 ----ssuubbjjeecctt--lliinnkk optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 <- B.r2.o2 ----ssuubbjjeecctt--oobbjj optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 <- o2 ----vvaalliiddiittyy optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days ----oouutt where to save DER-encoded attribute cert. In order to interoper‐ ate with the rest of ABAC, this name should end in _attr.der ----kkeeyycchheecckk Do a sanity check on a private key file ----kkeeyy private key to be used ----pp passphrase file to be used ----rroolleess Extract the roles from an X.509 attribute cert ----oosseettss Extract the osets from an X.509 attribute cert ----cceerrtt X.509 attribute cert containing ABAC roles ----ddiissppllaayy Displays metadata from an X.509 identity or attribute cert ----sshhooww==[[iissssuueerr,,....,,aallll]] comma-separated list of: issuer DN of issuer subject DN of subject validity validity period roles attribute cert roles (fails silently on ID certs) osets attribute cert osets (fails silently on ID certs) all all of the above ----cceerrtt X.509 identity or attribute cert ----vveerrssiioonn display ABAC/creddy version EEXXAAMMPPLLEESS Generate ID cert and private key pairs: ccrreeddddyy ----ggeenneerraattee ----ccnn AAlliiccee ccrreeddddyy ----ggeenneerraattee ----ccnn BBoobb Issue the credential Alice.friend <- Bob creddy --attribute \ --issuer Alice_ID.pem --key Alice_private.pem \ --role friend --subject-cert Bob_ID.pem \ --out Alice_friend__Bob_attr.der AAUUTTHHOORR Written by Mike Ryan Updated by Mei-Hui Su . BBUUGGSS None yet. Report to http://abac.deterlab.net/ CCOOPPYYRRIIGGHHTT Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPY‐ ING included with source for details. ABAC 0.2.2 July 2012 creddy(1)