Alexander Afanasyev | 7c6aeb0 | 2014-04-10 19:59:19 -0700 | [diff] [blame] | 1 | ndnsec: NDN security tool |
| 2 | ========================= |
| 3 | |
| 4 | ``ndnsec`` is a command-line tools to perform various NDN security management |
| 5 | operation: |
| 6 | |
| 7 | :: |
| 8 | |
| 9 | $ ndnsec <command> <args> |
| 10 | |
| 11 | One can check the command list by |
| 12 | |
| 13 | :: |
| 14 | |
| 15 | $ ndnsec help |
| 16 | |
| 17 | Here is a list of commands supported so far: |
| 18 | |
| 19 | :: |
| 20 | |
| 21 | $ ndnsec help |
| 22 | help Show all commands. |
| 23 | list Display information in PublicInfo. |
| 24 | get-default Get default setting info. |
| 25 | set-default Configure default setting. |
| 26 | key-gen Generate a Key-Signing-Key for an identity. |
| 27 | sign-req Generate a certificate signing request. |
| 28 | cert-gen Generate an identity certificate. |
| 29 | cert-dump Dump a certificate from PublicInfo. |
| 30 | cert-install Install a certificate into PublicInfo. |
| 31 | delete Delete identity/key/certificate. |
| 32 | export Export an identity package. |
| 33 | import Import an identity package. |
| 34 | set-acl Configure ACL of a private key. |
| 35 | unlock-tpm Unlock Tpm. |
| 36 | op-tool Operator tool. |
| 37 | |
| 38 | Next, we will introduce these commands one-by-one: |
| 39 | |
| 40 | list |
| 41 | ---- |
| 42 | |
| 43 | ``list`` command can display the information of identities, keys, and |
| 44 | certificates. By default, it only display all the identities created in |
| 45 | the system. For example: |
| 46 | |
| 47 | :: |
| 48 | |
| 49 | $ ndnsec list |
| 50 | * /ndn/edu/ucla/cs/yingdi |
| 51 | /ndn/test/cathy |
| 52 | /ndn/test/bob |
| 53 | /ndn/test/alice |
| 54 | |
| 55 | The identity with ``*`` in front is the default identity of the system. |
| 56 | |
| 57 | If option ``-K`` or ``-k`` is specified, the output of the command will |
| 58 | display key names for each identity. The key name with ``*`` in front is |
| 59 | the key name of the corresponding identity. For example: |
| 60 | |
| 61 | :: |
| 62 | |
| 63 | $ ndnsec list -k |
| 64 | * /ndn/edu/ucla/cs/yingdi |
| 65 | +->* /ndn/edu/ucla/cs/yingdi/ksk-1393811874052 |
| 66 | |
| 67 | /ndn/test/cathy |
| 68 | +->* /ndn/test/cathy/ksk-1394129695418 |
| 69 | |
| 70 | /ndn/test/bob |
| 71 | +->* /ndn/test/bob/ksk-1394129695308 |
| 72 | |
| 73 | /ndn/test/alice |
| 74 | +->* /ndn/test/alice/ksk-1394129695025 |
| 75 | |
| 76 | If option ``-C`` or ``-c`` is specified, the output of the command will |
| 77 | display certificate names for each key. The certificate name with ``*`` |
| 78 | in front is the certificate name of the corresponding key. For example: |
| 79 | |
| 80 | :: |
| 81 | |
| 82 | $ ndnsec list -c |
| 83 | * /ndn/edu/ucla/cs/yingdi |
| 84 | +->* /ndn/edu/ucla/cs/yingdi/ksk-1393811874052 |
| 85 | +->* /ndn/edu/ucla/cs/yingdi/KEY/ksk-1393811874052/ID-CERT/%FD%01D%85%A9a%DD |
| 86 | |
| 87 | /ndn/test/cathy |
| 88 | +->* /ndn/test/cathy/ksk-1394129695418 |
| 89 | +->* /ndn/test/KEY/cathy/ksk-1394129695418/ID-CERT/%FD%01D%98%9A%F3J |
| 90 | |
| 91 | /ndn/test/bob |
| 92 | +->* /ndn/test/bob/ksk-1394129695308 |
| 93 | +->* /ndn/test/KEY/bob/ksk-1394129695308/ID-CERT/%FD%01D%98%9A%F2%AE |
| 94 | |
| 95 | /ndn/test/alice |
| 96 | +->* /ndn/test/alice/ksk-1394129695025 |
| 97 | +->* /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F |
| 98 | |
| 99 | get-default/set-default |
| 100 | ----------------------- |
| 101 | |
| 102 | If you are only curious about the default setting of a particular |
| 103 | identity or key. You can use ``get-default`` command. |
| 104 | |
| 105 | If you want to check the default setting of a particular identity, you |
| 106 | can specify the identity name with option ``-i``. For example, a |
| 107 | command: |
| 108 | |
| 109 | :: |
| 110 | |
| 111 | $ ndnsec get-default -k -i /ndn/test/alice |
| 112 | /ndn/test/alice/ksk-1394129695025 |
| 113 | |
| 114 | returns the default key name of ``/ndn/test/alice``. And a command: |
| 115 | |
| 116 | :: |
| 117 | |
| 118 | $ ndnsec get-default -c -i /ndn/test/alice |
| 119 | /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F |
| 120 | |
| 121 | returns the default certificate name of ``/ndn/test/alice``. If option |
| 122 | ``-i`` is missing, the system default identity will be used. |
| 123 | |
| 124 | If you want to check default settings of a particular key, you can |
| 125 | specify the key name with option ``-K``. |
| 126 | |
| 127 | :: |
| 128 | |
| 129 | $ ndnsec get-default -c -K /ndn/test/alice/ksk-1394129695025 |
| 130 | /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F |
| 131 | |
| 132 | In order to change the default setting, you can change it using command |
| 133 | ``set-default``. If you want to change the default system identity, you |
| 134 | can use command: |
| 135 | |
| 136 | :: |
| 137 | |
| 138 | $ ndnsec set-default /ndn/test/alice |
| 139 | |
| 140 | If you want to set a key as the default key of its corresponding |
| 141 | identity, you can specify the key name with option ``-k``: |
| 142 | |
| 143 | :: |
| 144 | |
| 145 | $ ndnsec set-default -k /ndn/test/alice/ksk-1394129695025 |
| 146 | |
| 147 | If you want to set a certificate as the default certificate of its |
| 148 | corresponding key, you can specify the certificate name with option |
| 149 | ``-c``: |
| 150 | |
| 151 | :: |
| 152 | |
| 153 | $ ndnsec set-default -c /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F |
| 154 | |
| 155 | key-gen |
| 156 | ------- |
| 157 | |
| 158 | Command ``key-gen`` allows you to generate keys for a specified |
| 159 | identity. |
| 160 | |
| 161 | :: |
| 162 | |
| 163 | $ ndnsec key-gen /ndn/test/david |
| 164 | Bv0DAAc9CANuZG4IBHRlc3QIBWRhdmlkCANLRVkIEWtzay0xMzk2OTEzMDU4MTk2 |
| 165 | CAdJRC1DRVJUCAgAAAFFPoG0ohQDGAECFf0BeDCCAXQwIhgPMjAxNDA0MDcyMzI0 |
| 166 | MThaGA8yMDM0MDQwMjIzMjQxOFowKjAoBgNVBCkTIS9uZG4vdGVzdC9kYXZpZC9r |
| 167 | c2stMTM5NjkxMzA1ODE5NjCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB |
| 168 | ALS6udLacpydecxMRIfZeo74fxzpsITqaa/4UxD2FJ9lU4dtfiSSIOaRwAB/w0K/ |
| 169 | AauQRq3Q1AiEocUsW2h8LmtcuF4Cj9TGAUD/1s3CISMwf9zwQ3ZhNIzN0IOsrpPA |
| 170 | TsHrbdwtOxrcFvXX4GnMLWgtvcSB52Cn68h/4AUiA1CG9/DOyCyA4EHiIkHBxh6B |
| 171 | TvAmw7SmNjr1ZBTYMaMAEV5/oLZCHzHRO+2fKdEttaWH3bz7iKVVS8u5ZxXcBs8g |
| 172 | ot55m7Xf6/TUk3qQXM1kM8wW04U+8n3jch1i7tD2T3c/OFKTT7AWndwcfbU99Z6C |
| 173 | FZ7fMsgRHxFNY8hCFZJvFFUCAREWOhsBARw1BzMIA25kbggEdGVzdAgFZGF2aWQI |
| 174 | A0tFWQgRa3NrLTEzOTY5MTMwNTgxOTYIB0lELUNFUlQX/QEAW2yfF8JTgu5okR+n |
| 175 | dRlXc3UR/b1REegrpQb3xVzs7fYiiHwFYzQE9RzOuGh/9GSMvQcfejsPw021tJnj |
| 176 | oxNx6spGTOK5Bc0QZGeC6YyNoVSaJr9Obc5Uh8eRqxw76r0pCUHP+l38UgUGeBg/ |
| 177 | aHurtcu5zK0zFYX++SAfUGLUZlG4CqKBUNZC+6w9OGUXlcW411zMzfqQ7V9Gxg+p |
| 178 | 1IMNJQ6trTFdIwT/4YWHsxR+16r2TRWCNHtJey2GEG84YoqRh8y37jnu7oPhAtTN |
| 179 | TgG9O7O39dZLiFg+UP3LpW1LY64fJXsNfZQmnZWcNo5lX6MXfeiPxWFjOQqnno82 |
| 180 | 1hgqgA== |
| 181 | |
| 182 | And the generated key will be automatically set to be the default key of |
| 183 | the identity. The output of these command is a base64 encoded |
| 184 | self-signed certificate of the generated key. By default, the specified |
| 185 | identity will become the system default identity. If this is not your |
| 186 | intention, you can specify option ``-n`` to disable that. |
| 187 | |
| 188 | sign-req |
| 189 | -------- |
| 190 | |
| 191 | If you want to ask somebody else to issue you a certificate, you need to |
| 192 | create a signing request. Such a signing request is a self-signed |
| 193 | certificate of the your default key. You can generate this request using |
| 194 | command ``sign-req``, for example: |
| 195 | |
| 196 | :: |
| 197 | |
| 198 | $ ndnsec sign-req /ndn/test/david |
| 199 | |
| 200 | The request will be output to stdout. If you want to create a signing |
| 201 | request for a particular key. You can specify the key name with option |
| 202 | ``-k``, for example: |
| 203 | |
| 204 | :: |
| 205 | |
| 206 | $ ndnsec sign-req -k /ndn/test/david/ksk-1396913058196 |
| 207 | |
| 208 | cert-gen |
| 209 | -------- |
| 210 | |
| 211 | In order to issue others certificates, you can use command ``cert-gen``. |
| 212 | Such a command requires a signing request (a self-signed certificate). |
| 213 | |
| 214 | :: |
| 215 | |
| 216 | $ ndnsec cert-gen sign_request.cert |
| 217 | |
| 218 | You can specify the starting timestamp of the certificate's validity via |
| 219 | option ``-S`` and the ending timestamp of the certificate's validity via |
| 220 | option ``-E``. You can specify the name of the certificate owner via |
| 221 | option ``-N`` and other information about the certificate owner via |
| 222 | option ``-I``. At last, you may also specify the signing identity of the |
| 223 | certificate via option ``-s``, the default key and certificate of the |
| 224 | signing identity will be used to generate the requested certificate. If |
| 225 | ``-s`` is missing, the system default identity will be used. A complete |
| 226 | example of ``cert-gen`` command could be: |
| 227 | |
| 228 | :: |
| 229 | |
| 230 | $ ndnsec cert-gen -S 20140401000000 -E 20150331235959 -N "David" -I "2.5.4.10 'Some Organization'" -s /ndn/test sign_request.cert |
| 231 | Bv0C9wc9CANuZG4IBHRlc3QIA0tFWQgFZGF2aWQIEWtzay0xMzk2OTEzMDU4MTk2 |
| 232 | CAdJRC1DRVJUCAgAAAFFPp2g3hQDGAECFf0BdjCCAXIwIhgPMjAxNDA0MDEwMDAw |
| 233 | MDBaGA8yMDE1MDMzMTIzNTk1OVowKDAMBgNVBCkTBURhdmlkMBgGA1UEChMRU29t |
| 234 | ZSBPcmdhbml6YXRpb24wggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC0 |
| 235 | urnS2nKcnXnMTESH2XqO+H8c6bCE6mmv+FMQ9hSfZVOHbX4kkiDmkcAAf8NCvwGr |
| 236 | kEat0NQIhKHFLFtofC5rXLheAo/UxgFA/9bNwiEjMH/c8EN2YTSMzdCDrK6TwE7B |
| 237 | 623cLTsa3Bb11+BpzC1oLb3Egedgp+vIf+AFIgNQhvfwzsgsgOBB4iJBwcYegU7w |
| 238 | JsO0pjY69WQU2DGjABFef6C2Qh8x0TvtnynRLbWlh928+4ilVUvLuWcV3AbPIKLe |
| 239 | eZu13+v01JN6kFzNZDPMFtOFPvJ943IdYu7Q9k93PzhSk0+wFp3cHH21PfWeghWe |
| 240 | 3zLIER8RTWPIQhWSbxRVAgERFjMbAQEcLgcsCANuZG4IA0tFWQgEdGVzdAgRa3Nr |
| 241 | LTEzOTQxMjk2OTQ3ODgIB0lELUNFUlQX/QEABUGcl7U+F8cwMHKckerv+1H2Nvsd |
| 242 | OfeqX0+4RzWU+wRx2emMGMZZdHSx8M/i45hb0P5hbNEF99L35/SrSTSzhTZdOriD |
| 243 | t/LQOcKBoNXY+iw3EUFM0gvRGU0kaEVBKAHtbYhtoHc48QLEyrsVaMqmrjCmpeF/ |
| 244 | JOcClhzJfFW3cZ/SlhcTEayF0ntogYLR2cMzIwQhhSj5L/Kl7I7uxNxZhK1DS98n |
| 245 | q8oGAxHufEAluPrRpDQfI+jeQ4h/YYKcXPW3Vn7VQAGOqIi6gTlUxrmEbyCDF70E |
| 246 | xj5t3wfSUmDa1N+hLRMdEAI+IjRRHDSx2Lhj/QcoPIZPWwKjBz9CBL92og== |
| 247 | |
| 248 | The output of ``cert-gen`` is the generated certificate with base64 |
| 249 | encoding. |
| 250 | |
| 251 | cert-install |
| 252 | ------------ |
| 253 | |
| 254 | On receiving the requested certificate, you can install the certificate |
| 255 | in your system via command ``cert-install``. |
| 256 | |
| 257 | :: |
| 258 | |
| 259 | $ ndnsec cert-install cert_file.cert |
| 260 | |
| 261 | By default, the installed certificate will be set to be the default |
| 262 | certificate of its corresponding identity. And this identity will become |
| 263 | the system default identity. If this is not your intention, you can |
| 264 | specify option ``-N`` to install the certificate without changing any |
| 265 | default setting; or you can specify option ``-K`` to set the installed |
| 266 | certificate to be the default certificate of its corresponding key; or |
| 267 | option ``-I`` to set the installed certificate to be the default |
| 268 | certificate of its corresponding identity. |
| 269 | |
| 270 | cert-dump |
| 271 | --------- |
| 272 | |
| 273 | If you want to display a certificate in stdout, you can use command |
| 274 | ``cert-dump``. |
| 275 | |
| 276 | :: |
| 277 | |
| 278 | $ ndnsec cert-dump /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE |
| 279 | |
| 280 | By default, a base64 encoded certificate is displayed. You can specify |
| 281 | option ``-p`` to display a decoded certificate: |
| 282 | |
| 283 | :: |
| 284 | |
| 285 | $ ndnsec cert-dump -p /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE |
| 286 | Certificate name: |
| 287 | /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE |
| 288 | Validity: |
| 289 | NotBefore: 20140401T000000 |
| 290 | NotAfter: 20150331T235959 |
| 291 | Subject Description: |
| 292 | 2.5.4.41: David |
| 293 | 2.5.4.10: Some Organization |
| 294 | Public key bits: |
| 295 | MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAtLq50tpynJ15zExEh9l6 |
| 296 | jvh/HOmwhOppr/hTEPYUn2VTh21+JJIg5pHAAH/DQr8Bq5BGrdDUCIShxSxbaHwu |
| 297 | a1y4XgKP1MYBQP/WzcIhIzB/3PBDdmE0jM3Qg6yuk8BOwett3C07GtwW9dfgacwt |
| 298 | aC29xIHnYKfryH/gBSIDUIb38M7ILIDgQeIiQcHGHoFO8CbDtKY2OvVkFNgxowAR |
| 299 | Xn+gtkIfMdE77Z8p0S21pYfdvPuIpVVLy7lnFdwGzyCi3nmbtd/r9NSTepBczWQz |
| 300 | zBbThT7yfeNyHWLu0PZPdz84UpNPsBad3Bx9tT31noIVnt8yyBEfEU1jyEIVkm8U |
| 301 | VQIB |
| 302 | |
| 303 | delete |
| 304 | ------ |
| 305 | |
| 306 | If you want to delete identities, keys, or certificates, you can use |
| 307 | command ``delete``. You need to supply a name to this command. By |
| 308 | default the name should be the identity to delete. For example: |
| 309 | |
| 310 | :: |
| 311 | |
| 312 | $ ndnsec delete /ndn/test/david |
| 313 | |
| 314 | If option ``-K`` or ``-k`` is specified, the name should be the name of |
| 315 | the key to delete. If option ``-C`` or ``-c`` is specified, the name |
| 316 | should be the name of the certificate to delete. |
| 317 | |
| 318 | export/import |
| 319 | ------------- |
| 320 | |
| 321 | You can export or import security data of a specified identity. The |
| 322 | security data may even include private key (which is protected by |
| 323 | encryption). |
| 324 | |
| 325 | In order to export security data of an identity, you can use command: |
| 326 | |
| 327 | :: |
| 328 | |
| 329 | $ ndnsec export /ndn/test/alice |
| 330 | |
| 331 | This will output all the public security data of the specified identity |
| 332 | to ``stdout``. If you want to export private keys, you need to specify |
| 333 | option ``-p``. If you want to export security data into a file, you can |
| 334 | specify the file name with option ``-o``. |
| 335 | |
| 336 | If you can also import security data of a particular identity from a |
| 337 | file, you can use command: |
| 338 | |
| 339 | :: |
| 340 | |
| 341 | $ ndnsec import input_file |
| 342 | |
| 343 | If input\_file is ``-``, the command will import security data from |
| 344 | ``stdin``. If the security to import contains private key, you need to |
| 345 | specify option ``-p``. |
| 346 | |
| 347 | unlock-tpm |
| 348 | ---------- |
| 349 | |
| 350 | Depending on the internal implementation, the Trusted Platform Module |
| 351 | (TPM) which manages private keys may be locked. If you want to |
| 352 | explicitly unlock the TPM, you can use ``unlock-tpm`` command. |