Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of creddyRT2

Timestamp:: Sep 10, 2012 11:54:59 PM (12 years ago)
Author:: Mei
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

creddyRT2

                       v1
+{{{
+#!html
+<H1>creddy</H1>
+<P>
+<A NAME="lbAB">&nbsp;</A>
+<H2>NAME</H2>
+creddy - ABAC X.509 identity and attribute certificate manager
+<P>
+<A NAME="lbAC">&nbsp;</A>
+<H2>SYNOPSIS</H2>
+<P>
+<B>creddy [ --&lt;mode&gt; ] --help</B>
+<P>
+<A NAME="lbAD">&nbsp;</A>
+<H2>DESCRIPTION</H2>
+<P>
+creddy is an awesome and wonderful ABAC credential management tool. It
+creates, verifies, and otherwise frobnicates X.509 identity and
+attribute certificates. The output of the tool is suitable for use with
+ABAC. Additionally, the self-signed X.509 identity certs (with
+associated private keys) can be used with OpenSSL
+<P>
+<A NAME="lbAE">&nbsp;</A>
+<H2>OPTIONS</H2>
+<P>
+<A NAME="lbAF">&nbsp;</A>
+<H3>--generate</H3>
+Generate an X.509 identity cert and private key pair unless an external private key is specified. The certificate is saved in ${cn}_id.pem and the generated private key is saved in ${cn}_private.pem
+<P>
+<P>
+Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems
+<P>
+<DL COMPACT>
+<DT><B>--cn</B>
+<DD>
+common name used on certificate, provided as a convenience and ignored by ABAC
+<P>
+<DT><B>--validity</B>
+<DD>
+optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 1080 days
+<P>
+<DT><B>--out</B>
+<DD>
+optional output directory. Must exist before invoking the command
+<P>
+<DT><B>--key</B>
+<DD>
+optional external private key to be use for this identity
+<P>
+<DT><B>--p</B>
+<DD>
+optional passphrase flag if the external private key supplied is encrypted. If the passphrase
+is saved in a file 'pfile', then --p=pfile
+<P>
+</DL>
+<A NAME="lbAG">&nbsp;</A>
+<H3>--verify</H3>
+verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+self-signed X.509 identity cert
+<P>
+<DT><B>--attrcert</B>
+<DD>
+optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked
+<P>
+</DL>
+<A NAME="lbAH">&nbsp;</A>
+<H3>--keyid</H3>
+extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+X.509 identity cert
+<P>
+</DL>
+<A NAME="lbAI">&nbsp;</A>
+<H3>--attribute</H3>
+generate an X.509 attribute cert representing an ABAC credential
+<P>
+An attribute cert has one or more subjects. A single subject may be defined without a role or oset. Otherwise, subjects are defined by a pair of a --subject-{cert,id} and --subject-{role,oset} and may include an optional --subject-link or just --subject-obj or --subject-cert. Providing multiple subjects creates an intersection certificate
+<P>
+<DL COMPACT>
+<DT><B>--issuer</B>
+<DD>
+X.509 identity cert issuing the credential
+<P>
+<DT><B>--key</B>
+<DD>
+private key associated with issuer cert
+<P>
+<DT><B>--p</B>
+<DD>
+optional passphrase if the private key is encrypted
+<P>
+<DT><B>--role</B>
+<DD>
+role in issuer's local attribute space
+<P>
+<DT><B>--oset</B>
+<DD>
+o-set in issuer's local attribute space
+<P>
+<DT><B>--subject-cert</B>
+<DD>
+X.509 identity cert representing the principal to which the role is being issued. This fulfills the same purpose as --subject-id and should only be used once per subject
+<P>
+<DT><B>--subject-id</B>
+<DD>
+public key identifier (SHA1 hash) of the principal to which the role is being issued. This fulfills the same purpose as --subject-cert and should only be used once per subject
+<P>
+<DT><B>--subject-role</B>
+<DD>
+optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 &lt;- B.r2
+<P>
+<DT><B>--subject-oset</B>
+<DD>
+optional oset in subject's local attribute space. If the issuer is A, oset is o1, subject is B, and subject-oset is o2, the attribute issued will be A.o1 &lt;- B.o2
+<P>
+<DT><B>--subject-link</B>
+<DD>
+optional linking role in subject's local attribute space. If the issuer is A, oset is o1, subject is B, subject-link is r2 and subject-oset is o2, the attribute issued will be A.o1 &lt;- B.r2.o2
+<P>
+<DT><B>--subject-obj</B>
+<DD>
+optional object in subject's local attribute space. If the issuer is A, oset is o1, and subject-obj is o2, the attribute issued will be A.o1 &lt;- o2
+<P>
+<DT><B>--validity</B>
+<DD>
+optional certificate validity. This argument takes a time period followed by an optional suffix of s m h d y (defaults to d if omitted). The default is 365 days
+<P>
+<DT><B>--out</B>
+<DD>
+where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der
+<P>
+</DL>
+<A NAME="lbAJ">&nbsp;</A>
+<H3>--keycheck</H3>
+Do a sanity check on a private key file
+<P>
+<DL COMPACT>
+<DT><B>--key</B>
+<DD>
+private key to be used
+<P>
+<DT><B>--p</B>
+<DD>
+passphrase file to be used
+<P>
+</DL>
+<A NAME="lbAK">&nbsp;</A>
+<H3>--roles</H3>
+Extract the roles from an X.509 attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+X.509 attribute cert containing ABAC roles
+<P>
+</DL>
+<A NAME="lbAL">&nbsp;</A>
+<H3>--osets</H3>
+Extract the osets from an X.509 attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--cert</B>
+<DD>
+X.509 attribute cert containing ABACosets
+<P>
+</DL>
+<A NAME="lbAM">&nbsp;</A>
+<H3>--display</H3>
+Displays metadata from an X.509 identity or attribute cert
+<P>
+<DL COMPACT>
+<DT><B>--show=[issuer,..,all]</B>
+<DD>
+comma-separated list of:
+<P>
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;issuer&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;issuer
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;subject&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DN&nbsp;of&nbsp;subject
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;&nbsp;&nbsp;&nbsp;validity&nbsp;period
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;roles&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;attribute&nbsp;cert&nbsp;roles&nbsp;(fails&nbsp;silently&nbsp;on&nbsp;ID&nbsp;certs)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;osets&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;attribute&nbsp;cert&nbsp;osets&nbsp;(fails&nbsp;silently&nbsp;on&nbsp;ID&nbsp;certs)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;of&nbsp;the&nbsp;above
+<P>
+<DT><B>--cert</B>
+<DD>
+X.509 identity or attribute cert
+<P>
+</DL>
+<A NAME="lbAN">&nbsp;</A>
+<H3>--version</H3>
+display ABAC/creddy version
+<P>
+<A NAME="lbAO">&nbsp;</A>
+<H2>EXAMPLES</H2>
+<P>
+<DL COMPACT>
+<DT>Generate ID cert and private key pairs:<DD>
+<P>
+<B>creddy --generate --cn Alice</B>
+<BR>
+<B>creddy --generate --cn Bob</B>
+<P>
+<DT>Issue the credential Alice.friend &lt;- Bob<DD>
+<P>
+creddy --attribute \
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--issuer&nbsp;Alice_ID.pem&nbsp;--key&nbsp;Alice_private.pem&nbsp;\
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--role&nbsp;friend&nbsp;--subject-cert&nbsp;Bob_ID.pem&nbsp;\
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--out&nbsp;Alice_friend__Bob_attr.der
+<P>
+</DL>
+<A NAME="lbAP">&nbsp;</A>
+<H2>AUTHOR</H2>
+<P>
+Written by Mike Ryan
+<BR>
+Updated by Mei-Hui Su &lt;<A HREF="mailto:mei@ISI.EDU">mei@ISI.EDU</A>&gt;.
+<P>
+<A NAME="lbAQ">&nbsp;</A>
+<H2>BUGS</H2>
+<P>
+None yet. Report to <A HREF="http://abac.deterlab.net/">http://abac.deterlab.net/</A>
+<P>
+<A NAME="lbAR">&nbsp;</A>
+<H2>COPYRIGHT</H2>
+<P>
+Copyright (c) 2010-2012 USC/ISI. Released under MIT license. See COPYING included with source for details.
+<P>
+}}}