Changes between Initial Version and Version 1 of creddyRT0


Ignore:
Timestamp:
May 15, 2013 2:19:52 PM (9 years ago)
Author:
Mei
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • creddyRT0

    v1 v1  
     1{{{
     2#!html
     3<H1>creddy</H1>
     4<P>
     5<A NAME="lbAB">&nbsp;</A>
     6<H2>NAME</H2>
     7
     8creddy - ABAC X.509 identity and XML attribute certificate manager
     9<P>
     10<A NAME="lbAC">&nbsp;</A>
     11<H2>SYNOPSIS</H2>
     12
     13<P>
     14<B>creddy [ --&lt;mode&gt; ] --help</B>
     15
     16<P>
     17<A NAME="lbAD">&nbsp;</A>
     18<H2>DESCRIPTION</H2>
     19
     20<P>
     21creddy is an awesome and wonderful ABAC credential management tool. It
     22creates, verifies, and otherwise frobnicates X.509 identity and
     23XML attribute certificates. The output of the tool is suitable for use with
     24ABAC. Additionally, the self-signed X.509 identity certs (with
     25associated private keys) can be used with OpenSSL. Although creddy
     26only generates self-signed identity, it can verify and sanity check
     27none self-signed identity certs
     28<P>
     29<A NAME="lbAE">&nbsp;</A>
     30<H2>OPTIONS</H2>
     31
     32<P>
     33<A NAME="lbAF">&nbsp;</A>
     34<H3>--generate</H3>
     35
     36Generate an X.509 identity cert and private key pair unless an external private key is specified
     37. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_priva
     38te.pem
     39<P>
     40<P>
     41
     42Note that private key generation is slow and uses a lot of entropy. You can generate entropy by
     43moving your mouse a lot or running large find commands on your local file systems
     44<P>
     45<DL COMPACT>
     46<DT><B>--cn</B>
     47
     48<DD>
     49common name used on certificate, provided as a convenience and ignored by ABAC
     50<P>
     51<DT><B>--validity</B>
     52
     53<DD>
     54optional certificate validity. This argument takes a time period followed by an optional suffix
     55of s m h d y (defaults to d if omitted). The default is 1080 days
     56<P>
     57<DT><B>--out</B>
     58
     59<DD>
     60optional output directory. Must exist before invoking the command
     61<P>
     62<DT><B>--key</B>
     63<DD>
     64optional external private key to be use for this identity
     65<P>
     66</DL>
     67<A NAME="lbAG">&nbsp;</A>
     68<H3>--verify</H3>
     69
     70verify the signature on a (self-signed and none self-signed) X.509 identity cert or an X.509 att
     71ribute cert
     72<P>
     73<DL COMPACT>
     74<DT><B>--cert</B>
     75
     76<DD>
     77X.509 identity cert
     78<P>
     79<DT><B>--attrcert</B>
     80
     81<DD>
     82optional XML attribute cert.
     83<P>
     84</DL>
     85<A NAME="lbAH">&nbsp;</A>
     86<H3>--keyid</H3>
     87
     88extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
     89<P>
     90<DL COMPACT>
     91<DT><B>--cert</B>
     92
     93<DD>
     94X.509 identity cert
     95<P>
     96</DL>
     97<A NAME="lbAI">&nbsp;</A>
     98<H3>--attribute</H3>
     99
     100generate an XML attribute cert representing an ABAC credential
     101<P>
     102An attribute cert has one or more subjects. A single subject may be defined without a role. Othe
     103rwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role} and may incl
     104ude an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subje
     105cts creates an intersection certificate
     106<P>
     107<DL COMPACT>
     108<DT><B>--issuer</B>
     109
     110<DD>
     111X.509 identity cert issuing the credential
     112<P>
     113<DT><B>--key</B>
     114
     115<DD>
     116private key associated with issuer cert
     117<P>
     118<DT><B>--role</B>
     119<DD>
     120role in issuer's local attribute space
     121<P>
     122<DT><B>--subject-cert</B>
     123
     124<DD>
     125X.509 identity cert representing the principal to which the role is being issued. This fulfills
     126the same purpose as --subject-id and should only be used once per subject
     127<P>
     128<DT><B>--subject-id</B>
     129
     130<DD>
     131public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfi
     132lls the same purpose as --subject-cert and should only be used once per subject
     133<P>
     134<DT><B>--subject-role</B>
     135<DD>
     136optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B,
     137and subject-role is r2, the attribute issued will be A.r1 &lt;- B.r2
     138<P>
     139<DT><B>--subject-link</B>
     140
     141<DD>
     142optional linking role in subject's local attribute space. If the issuer is A, role is r1, subjec
     143t is B, subject-link is r2 and subject-role is r3, the attribute issued will be A.r1 &lt;- B.r2.
     144r3
     145<P>
     146<DT><B>--subject-obj</B>
     147
     148<DD>
     149optional object in subject's local attribute space. If the issuer is A, role is r1, and subject-
     150obj is r2, the attribute issued will be A.r1 &lt;- r2
     151<P>
     152<DT><B>--validity</B>
     153
     154<DD>
     155optional certificate validity. This argument takes a time period followed by an optional suffix
     156of s m h d y (defaults to d if omitted). The default is 365 days
     157<P>
     158<DT><B>--out</B>
     159
     160<DD>
     161where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this n
     162ame should end in _attr.der
     163<P>
     164</DL>
     165<A NAME="lbAK">&nbsp;</A>
     166<H3>--roles</H3>
     167
     168Extract the roles from an XML attribute cert
     169<P>
     170<DL COMPACT>
     171<DT><B>--cert</B>
     172
     173<DD>
     174XML attribute cert containing ABAC roles
     175<P>
     176</DL>
     177<A NAME="lbAM">&nbsp;</A>
     178<H3>--display</H3>
     179
     180Displays metadata from an X.509 identity or XML attribute cert
     181<P>
     182<DL COMPACT>
     183<DT><B>--show=[issuer,..,all]</B>
     184
     185<DD>
     186comma-separated list of:
     187<P>
     188<BR>&nbsp;&nbsp;&nbsp;&nbsp;issuer&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;issuer
     189<BR>&nbsp;&nbsp;&nbsp;&nbsp;subject&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;subject
     190<BR>&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;period
     191<BR>&nbsp;&nbsp;&nbsp;&nbsp;roles&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;attribute&nbsp;cert&n
     192bsp;roles&nbsp;(fails&nbsp;silently&nbsp;on&nbsp;ID&nbsp;certs)
     193<BR>&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;of
     194&nbsp;the&nbsp;above
     195<P>
     196<DT><B>--cert</B>
     197
     198<DD>
     199X.509 identity or XMLattribute cert
     200<P>
     201</DL>
     202<A NAME="lbAN">&nbsp;</A>
     203<H3>--version</H3>
     204display ABAC/creddy version
     205<P>
     206<A NAME="lbAO">&nbsp;</A>
     207<H2>EXAMPLES</H2>
     208
     209<P>
     210<DL COMPACT>
     211<DT>Generate ID cert and private key pairs:<DD>
     212<P>
     213<B>creddy --generate --cn Alice</B>
     214
     215<BR>
     216
     217<B>creddy --generate --cn Bob</B>
     218
     219<P>
     220<DT>Issue the credential Alice.friend &lt;- Bob<DD>
     221<P>
     222creddy --attribute \
     223<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--issuer&nbsp;Alice_ID.pem&nbsp;--key&nbsp;Alice_p
     224rivate.pem&nbsp;\
     225<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--role&nbsp;friend&nbsp;--subject-cert&nbsp;Bob_ID
     226.pem&nbsp;\
     227<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--out&nbsp;Alice_friend__Bob_attr.der
     228<P>
     229</DL>
     230<A NAME="lbAP">&nbsp;</A>
     231<H2>AUTHOR</H2>
     232
     233<P>
     234Written by Mike Ryan
     235<BR>
     236Updated by Mei-Hui Su &lt;<A HREF="mailto:mei@ISI.EDU">mei@ISI.EDU</A>&gt;.
     237<P>
     238<A NAME="lbAQ">&nbsp;</A>
     239<H2>BUGS</H2>
     240
     241<P>
     242None yet. Report to <A HREF="http://abac.deterlab.net/">http://abac.deterlab.net/</A>
     243<P>
     244<A NAME="lbAR">&nbsp;</A>
     245<H2>COPYRIGHT</H2>
     246
     247<P>
     248Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source fo
     249r details.
     250<P>
     251}}}
     252
     253