Version 1 (modified by 11 years ago) (diff) | ,
---|
creddy
NAME
creddy - ABAC X.509 identity and XML attribute certificate managerSYNOPSIS
creddy [ --<mode> ] --help
DESCRIPTION
creddy is an awesome and wonderful ABAC credential management tool. It creates, verifies, and otherwise frobnicates X.509 identity and XML attribute certificates. The output of the tool is suitable for use with ABAC. Additionally, the self-signed X.509 identity certs (with associated private keys) can be used with OpenSSL. Although creddy only generates self-signed identity, it can verify and sanity check none self-signed identity certs
OPTIONS
--generate
Generate an X.509 identity cert and private key pair unless an external private key is specified . The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_priva te.pem
Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems
- --cn
-
common name used on certificate, provided as a convenience and ignored by ABAC
- --validity
-
optional certificate validity. This argument takes a time period followed by an optional suffix
of s m h d y (defaults to d if omitted). The default is 1080 days
- --out
-
optional output directory. Must exist before invoking the command
- --key
-
optional external private key to be use for this identity
--verify
verify the signature on a (self-signed and none self-signed) X.509 identity cert or an X.509 att ribute cert
- --cert
-
X.509 identity cert
- --attrcert
-
optional XML attribute cert.
--keyid
extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
- --cert
-
X.509 identity cert
--attribute
generate an XML attribute cert representing an ABAC credentialAn attribute cert has one or more subjects. A single subject may be defined without a role. Othe rwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role} and may incl ude an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subje cts creates an intersection certificate
- --issuer
-
X.509 identity cert issuing the credential
- --key
-
private key associated with issuer cert
- --role
-
role in issuer's local attribute space
- --subject-cert
-
X.509 identity cert representing the principal to which the role is being issued. This fulfills
the same purpose as --subject-id and should only be used once per subject
- --subject-id
-
public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfi
lls the same purpose as --subject-cert and should only be used once per subject
- --subject-role
-
optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B,
and subject-role is r2, the attribute issued will be A.r1 <- B.r2
- --subject-link
-
optional linking role in subject's local attribute space. If the issuer is A, role is r1, subjec
t is B, subject-link is r2 and subject-role is r3, the attribute issued will be A.r1 <- B.r2.
r3
- --subject-obj
-
optional object in subject's local attribute space. If the issuer is A, role is r1, and subject-
obj is r2, the attribute issued will be A.r1 <- r2
- --validity
-
optional certificate validity. This argument takes a time period followed by an optional suffix
of s m h d y (defaults to d if omitted). The default is 365 days
- --out
-
where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this n
ame should end in _attr.der
--roles
Extract the roles from an XML attribute cert
- --cert
-
XML attribute cert containing ABAC roles
--display
Displays metadata from an X.509 identity or XML attribute cert
- --show=[issuer,..,all]
-
comma-separated list of:
issuer DN of issuer
subject DN of subject
validity validity period
roles attribute cert&n; bsp;roles (fails silently on ID certs)
all all of the above - --cert
-
X.509 identity or XMLattribute cert
--version
display ABAC/creddy versionEXAMPLES
- Generate ID cert and private key pairs:
-
creddy --generate --cn Alice
creddy --generate --cn Bob - Issue the credential Alice.friend <- Bob
-
creddy --attribute \
--issuer Alice_ID.pem --key Alice_p rivate.pem \
--role friend --subject-cert Bob_ID .pem \
--out Alice_friend__Bob_attr.der
AUTHOR
Written by Mike Ryan
Updated by Mei-Hui Su <mei@ISI.EDU>.
BUGS
None yet. Report to http://abac.deterlab.net/
COPYRIGHT
Copyright (c) 2010-2013 USC/ISI. Released under MIT license. See COPYING included with source fo r details.