Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of creddyRT0

Timestamp:: May 15, 2013 2:19:52 PM (12 years ago)
Author:: Mei
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

creddyRT0

                       v1
+{{{
+#!html
+<H1>creddy</H1>
+<P>
+<A NAME="lbAB">&nbsp;</A>
+<H2>NAME</H2>
+creddy - ABAC X.509 identity and XML attribute certificate manager
+<P>
+<A NAME="lbAC">&nbsp;</A>
+<H2>SYNOPSIS</H2>
+<P>
+<B>creddy [ --&lt;mode&gt; ] --help</B>
+<P>
+<A NAME="lbAD">&nbsp;</A>
+<H2>DESCRIPTION</H2>
+<P>
+creddy is an awesome and wonderful ABAC credential management tool. It
+creates, verifies, and otherwise frobnicates X.509 identity and
+XML attribute certificates. The output of the tool is suitable for use with
+ABAC. Additionally, the self-signed X.509 identity certs (with
+associated private keys) can be used with OpenSSL. Although creddy
+only generates self-signed identity, it can verify and sanity check
+none self-signed identity certs
+<P>
+<A NAME="lbAE">&nbsp;</A>
+<H2>OPTIONS</H2>
+<P>
+<A NAME="lbAF">&nbsp;</A>
+<H3>--generate</H3>
+Generate an X.509 identity cert and private key pair unless an external private key is specified
+. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_priva
+te.pem
+<P>
+<P>
+Note that private key generation is slow and uses a lot of entropy. You can generate entropy by
+moving your mouse a lot or running large find commands on your local file systems
+<P>
+<DL COMPACT>
+<DT><B>--cn</B>
+<DD>
+common name used on certificate, provided as a convenience and ignored by ABAC
+<P>
+<DT><B>--validity</B>
+<DD>
+optional certificate validity. This argument takes a time period followed by an optional suffix
+of s m h d y (defaults to d if omitted). The default is 1080 days
+<P>
+<DT><B>--out</B>
+<DD>
+optional output directory. Must exist before invoking the command
+<P>
+<DT><B>--key</B>
+<DD>
+optional external private key to be use for this identity
+<P>
+</DL>
+<A NAME="lbAG">&nbsp;</A>
+<H3>--verify</H3>
+verify the signature on a (self-signed and none self-signed) X.509 identity cert or an X.509 att
+ribute cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+X.509 identity cert
+<P>
+<DT><B>--attrcert</B>
+<DD>
+optional XML attribute cert.
+<P>
+</DL>
+<A NAME="lbAH">&nbsp;</A>
+<H3>--keyid</H3>
+extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+X.509 identity cert
+<P>
+</DL>
+<A NAME="lbAI">&nbsp;</A>
+<H3>--attribute</H3>
+generate an XML attribute cert representing an ABAC credential
+<P>
+An attribute cert has one or more subjects. A single subject may be defined without a role. Othe
+rwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role} and may incl
+ude an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subje
+cts creates an intersection certificate
+<P>
+<DL COMPACT>
+<DT><B>--issuer</B>
+<DD>
+X.509 identity cert issuing the credential
+<P>
+<DT><B>--key</B>
+<DD>
+private key associated with issuer cert
+<P>
+<DT><B>--role</B>
+<DD>
+role in issuer's local attribute space
+<P>
+<DT><B>--subject-cert</B>
+<DD>
+X.509 identity cert representing the principal to which the role is being issued. This fulfills
+the same purpose as --subject-id and should only be used once per subject
+<P>
+<DT><B>--subject-id</B>
+<DD>
+public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfi
+lls the same purpose as --subject-cert and should only be used once per subject
+<P>
+<DT><B>--subject-role</B>
+<DD>
+optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B,
+and subject-role is r2, the attribute issued will be A.r1 &lt;- B.r2
+<P>
+<DT><B>--subject-link</B>
+<DD>
+optional linking role in subject's local attribute space. If the issuer is A, role is r1, subjec
+t is B, subject-link is r2 and subject-role is r3, the attribute issued will be A.r1 &lt;- B.r2.
+r3
+<P>
+<DT><B>--subject-obj</B>
+<DD>
+optional object in subject's local attribute space. If the issuer is A, role is r1, and subject-
+obj is r2, the attribute issued will be A.r1 &lt;- r2
+<P>
+<DT><B>--validity</B>
+<DD>
+optional certificate validity. This argument takes a time period followed by an optional suffix
+of s m h d y (defaults to d if omitted). The default is 365 days
+<P>
+<DT><B>--out</B>
+<DD>
+where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this n
+ame should end in _attr.der
+<P>
+</DL>
+<A NAME="lbAK">&nbsp;</A>
+<H3>--roles</H3>
+Extract the roles from an XML attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+XML attribute cert containing ABAC roles
+<P>
+</DL>
+<A NAME="lbAM">&nbsp;</A>
+<H3>--display</H3>
+Displays metadata from an X.509 identity or XML attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--show=[issuer,..,all]</B>
+<DD>
+comma-separated list of:
+<P>
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;issuer&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;issuer
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;subject&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;subject
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;period
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;roles&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;attribute&nbsp;cert&n
+bsp;roles&nbsp;(fails&nbsp;silently&nbsp;on&nbsp;ID&nbsp;certs)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;of
+&nbsp;the&nbsp;above
+<P>
+<DT><B>--cert</B>
+<DD>
+X.509 identity or XMLattribute cert
+<P>
+</DL>
+<A NAME="lbAN">&nbsp;</A>
+<H3>--version</H3>
+display ABAC/creddy version
+<P>
+<A NAME="lbAO">&nbsp;</A>
+<H2>EXAMPLES</H2>
+<P>
+<DL COMPACT>
+<DT>Generate ID cert and private key pairs:<DD>
+<P>
+<B>creddy --generate --cn Alice</B>
+<BR>
+<B>creddy --generate --cn Bob</B>
+<P>
+<DT>Issue the credential Alice.friend &lt;- Bob<DD>
+<P>
+creddy --attribute \
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--issuer&nbsp;Alice_ID.pem&nbsp;--key&nbsp;Alice_p
+rivate.pem&nbsp;\
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--role&nbsp;friend&nbsp;--subject-cert&nbsp;Bob_ID
+.pem&nbsp;\
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--out&nbsp;Alice_friend__Bob_attr.der
+<P>
+</DL>
+<A NAME="lbAP">&nbsp;</A>
+<H2>AUTHOR</H2>
+<P>
+Written by Mike Ryan
+<BR>
+Updated by Mei-Hui Su &lt;<A HREF="mailto:mei@ISI.EDU">mei@ISI.EDU</A>&gt;.
+<P>
+<A NAME="lbAQ">&nbsp;</A>
+<H2>BUGS</H2>
+<P>
+None yet. Report to <A HREF="http://abac.deterlab.net/">http://abac.deterlab.net/</A>
+<P>
+<A NAME="lbAR">&nbsp;</A>
+<H2>COPYRIGHT</H2>
+<P>
+Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source fo
+r details.
+<P>
+}}}