wiki:CreddyDoc

Version 1 (modified by Mei, 11 years ago) (diff)

--

User Commands creddy(1)

NAME

creddy - ABAC X.509 identity and XML attribute certificate manager (for cool kids)

SYNOPSIS

creddy [ --<mode> ] --help

DESCRIPTION

creddy is an awesome and wonderful ABAC credential manage- ment tool. It creates, verifies, and otherwise frobnicates X.509 identity and XML attribute certificates. The output of the tool is suitable for use with ABAC. Additionally, the self-signed X.509 identity certs (with associated private keys) can be used with OpenSSL.

OPTIONS

--generate

Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.

Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.

--cn common name used on certificate, provided as a conveni-

ence and ignored by ABAC

--validity

optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days.

--out

optional output directory. Must exist before invoking the command.

--verify

verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert

--cert

self-signed X.509 identity cert

--attrcert

optional XML attribute cert. If omitted the self- signature of the ID cert is checked

--keyid

extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert

--cert

X.509 identity cert

--attribute

generate a XML attribute cert representing an ABAC creden- tial

An attribute cert has one or more subjects. A single subject may be defined without a role. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject- role. Providing multiple subjects creates an intersection certificate.

--issuer

X.509 identity cert issuing the credential

--key

private key associated with issuer cert

--role

role in issuer's local attribute space

--subject-cert

X.509 identity cert representing the principal to which the role is being issued. This fulfills the same pur- pose as --subject-id and should only be used once per subject.

--subject-id

public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject.

--subject-role

optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.

--validity

optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days.

--out

where to save the XML attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.xml.

--roles

Extract the roles from an XML attribute cert

--cert

XML attribute cert containing ABAC roles

--display

Displays metadata from an X.509 identity or XML attribute cert

--show=[issuer,..,all]

comma-separated list of:

issuer DN of issuer subject DN of subject validity validity period roles attribute cert roles (fails silently on

ID certs)

all all of the above

--cert

X.509 identity or XML attribute cert

--version

display ABAC/creddy version

EXAMPLES

Generate ID cert and private key pairs:

creddy --generate --cn Alice creddy --generate --cn Bob

Issue the credential Alice.friend <- Bob

creddy --attribute \

--issuer Alice_ID.pem --key Alice_private.pem \ --role friend --subject-cert Bob_ID.pem \ --out Alice_friendBob_attr.der

AUTHOR

Written by Mike Ryan, Edited by Mei-Hui Su <mei@…>

BUGS

None yet. Report to http://abac.deterlab.net/

COPYRIGHT

Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source for details.

ABAC 0.1.5 Last change: July 2013 4