wiki:CredPrinterDocs

Version 4 (modified by faber, 13 years ago) (diff)

--

Credential Printer

The credential printer service is an XMLRPC service to convert ABAC credentials encoded as X.509 certificates into a text format. While libabac is widely portable through swig, some programming environments cannot import the library, yet would like to see the contents of credentials. The credential printer provides access.

Installing the service

We distribute the credential printer as a python application. It depends on the standard installation and the M2Crypto package, available from several places. It also depends on libabac.

Once the prerequisites are installed, download the credential printer source and untar it, change to the cred_printer-1.00 directory and run the standard python install script (as root):

$ tar xzf cred_printer-1.00.tar.gz
$ cd cred_printer-1.00
$ sudo python ./setup.py install

This will install a python egg into your site-packages and two python scripts, cred_server.py and cred_client.py into your standard biraries directory (/usr/local/bin on FreeBSD or Ubuntu).

Because the installation runs as root, you may need to delete the distribution directory as root:

$ cd ..
$ sudo rm -rf cred_printer-1.00.tar.gz

Running the server

The server takes an optional argument, --cert and a certificate with which to identify itself under SSL/https. If omitted, the server will run under http, unencrypted and unauthenticated. If run under SSL, the server expects clients to supply a certificate, but does not vaildate it's authorization chain. This is for future expansion using ABAC authorization to the server and self-certifying identities. The directions for making a fedid certificate will also create a valid certificate for this use.

The server also takes a --port argument defining the port to listen on. By default it listens on port 13232.

Assuming that ./cert.pem contains a certificate and key for the server:

$ cred_server.py --cert ./cert.pem

starts the server under SSL/https listening on port 13232,

$ cred_server.py --port 54321 --cert ./cert.pem

starts the server under SSL/https listening on port 54321

$ cred_server.py --port 54321

starts the server under http listening on port 54321, and

$ cred_server.py

starts the server under http on port 13232.

Running the client

The client is primarily to demonstrate the server functionality, but may prove useful itself. It takes 2 optional parameters and a list of filenames, and prints the decoded credentials on the standard output.

The --url option points to the server. By default it is http://localhost:13232. It can be set explicitly by setting this option, or by setting the CRED_URL environment variable. Using an https URL without the --cert option will fail.

The --cert option specifies a file to use for an https exchange. If the option is given, any URL will be traeted as https; if omitted any URL will be treated as http. The directions for making a fedid certificate will also create a valid certificate for this use.

To try the client, start the server as an http server on the default port:

$ cred_server.py

and run the client with the contents of the examples/experiment_create directory from the abac distribution. Assuming that that directory is examples/experiment_create:

$ cred_client.py examples/experiment_create/*

produces:

000: identity 9b47d3669b99a4ce1d3a0055be002ea6a580041a Acme
001: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.experiment_create <- 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner.experiment_create Acme.experiment_create <- Acme.partner.experiment_create
002: attribute 9b47d3669b99a4ce1d3a0055be002ea6a580041a.partner <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Acme.partner <- Globotron
003: Error, code -1
004: identity 001f3599bafb755e97855b9ee0b3487830a4ecc7 Alice
005: attribute 001f3599bafb755e97855b9ee0b3487830a4ecc7.power_user <- b9cdabc274fa38390c26829efed68eaa527b8d00 Alice.power_user <- Bob
006: Error, code -1
007: identity b9cdabc274fa38390c26829efed68eaa527b8d00 Bob
008: Error, code -1
009: identity f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7 Globotron
010: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin <- 001f3599bafb755e97855b9ee0b3487830a4ecc7 Globotron.admin <- Alice
011: attribute f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.experiment_create <- f923e9f69d33b52d8bbdfd19f2ec89dde7beedd7.admin.power_user Globotron.experiment_create <- Globotron.admin.power_user
012: Error, code -1
013: Error, code -1

Credentials that represent identities, such as the first entry (001) above are marked as identity certificates and both the keyid (a SHA1 hash of the key as described in RFC 3280, and the certificate CN (common name) are displayed. Certificates created through [Creddy Creddy] and libCreddy put a human-readable name in the certificate CN.

Credentials that represent attribute assignments are rendered as in line 002. The attribute identifier is printed and the certificate presented in RT0 format both with keyids and human-readable names.

For data that does not represent either an identity or an attribute, the error line is printed. The code is a libabac return code. The errors in this example come from the private key files and README files in that example directory.

Attachments (4)

Download all attachments as: .zip