User Commands creddy(1)
NAME
creddy - ABAC X.509 identity and XML attribute certificate manager (for cool kids)
SYNOPSIS
creddy [ --<mode> ] --help
DESCRIPTION
creddy is an awesome and wonderful ABAC credential manage- ment tool. It creates, verifies, and otherwise frobnicates X.509 identity and XML attribute certificates. The output of the tool is suitable for use with ABAC. Additionally, the self-signed X.509 identity certs (with associated private keys) can be used with OpenSSL.
OPTIONS
--generate
Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.
Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.
--cn common name used on certificate, provided as a conveni-
ence and ignored by ABAC
--validity
optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days.
--out
optional output directory. Must exist before invoking the command.
--verify
verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
--cert
self-signed X.509 identity cert
--attrcert
optional XML attribute cert. If omitted the self- signature of the ID cert is checked
--keyid
extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
--cert
X.509 identity cert
--attribute
generate a XML attribute cert representing an ABAC creden- tial
An attribute cert has one or more subjects. A single subject may be defined without a role. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject- role. Providing multiple subjects creates an intersection certificate.
--issuer
X.509 identity cert issuing the credential
--key
private key associated with issuer cert
--role
role in issuer's local attribute space
--subject-cert
X.509 identity cert representing the principal to which the role is being issued. This fulfills the same pur- pose as --subject-id and should only be used once per subject.
--subject-id
public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.
--subject-role
optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
--validity
optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days.
--out
where to save the XML attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.xml.
--roles
Extract the roles from an XML attribute cert
--cert
XML attribute cert containing ABAC roles
--display
Displays metadata from an X.509 identity or XML attribute cert
--show=[issuer,..,all]
comma-separated list of:
issuer DN of issuer subject DN of subject validity validity period roles attribute cert roles (fails silently on
ID certs)
all all of the above
--cert
X.509 identity or XML attribute cert
--version
display ABAC/creddy version
EXAMPLES
Generate ID cert and private key pairs:
creddy --generate --cn Alice creddy --generate --cn Bob
Issue the credential Alice.friend <- Bob
creddy --attribute \
--issuer Alice_ID.pem --key Alice_private.pem \ --role friend --subject-cert Bob_ID.pem \ --out Alice_friendBob_attr.der
AUTHOR
Written by Mike Ryan, Edited by Mei-Hui Su <mei@…>
BUGS
None yet. Report to http://abac.deterlab.net/
COPYRIGHT
Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source for details.
ABAC 0.1.5 Last change: July 2013 4
