1.\" $OpenBSD: keynote.1,v 1.18 2001/08/06 10:42:26 mpech Exp $ 2.\" 3.\" The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu) 4.\" 5.\" This code was written by Angelos D. Keromytis in Philadelphia, PA, USA, 6.\" in April-May 1998 7.\" 8.\" Copyright (C) 1998, 1999 by Angelos D. Keromytis. 9.\" 10.\" Permission to use, copy, and modify this software without fee 11.\" is hereby granted, provided that this entire notice is included in 12.\" all copies of any software which is or includes a copy or 13.\" modification of this software. 14.\" You may use this code under the GNU public license if you so wish. Please 15.\" contribute changes back to the author. 16.\" 17.\" THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 18.\" IMPLIED WARRANTY. IN PARTICULAR, THE AUTHORS MAKES NO 19.\" REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 20.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 21.\" PURPOSE. 22.\" 23.Dd April 29, 1999 24.Dt KEYNOTE 1 25.\" .TH keynote 1 local 26.Os 27.Sh NAME 28.Nm keynote 29.Nd command line tool for 30.Xr keynote 3 31operations 32.Sh SYNOPSIS 33.Nm keynote keygen 34.Ar AlgorithmName 35.Ar KeySize 36.Ar PublicKeyFile 37.Ar PrivateKeyFile 38.Op print-offset 39.Op print-length 40 41.Nm keynote sign 42.Op Fl v 43.Ar AlgorithmName 44.Ar AssertionFile 45.Ar PrivateKeyFile 46.Op print-offset 47.Op print-length 48 49.Nm keynote sigver 50.Op AssertionFile 51 52.Nm keynote verify 53.Op Fl h 54.Op Fl e Ar file 55.Fl l Ar file 56.Fl r Ar retlist 57.Op Fl k Ar file 58.Op Fl l Ar file 59.Op Ar file ... 60.Sh DESCRIPTION 61For more details on 62.Nm KeyNote , 63see RFC 2704. 64.Sh KEY GENERATION 65"keynote keygen" creates a public/private key of size 66.Fa KeySize , 67(in bits) for the algorithm specified by 68.Fa AlgorithmName . 69Typical keysizes are 512, 1024, or 2048 (bits). The minimum key size 70for DSA keys is 512 (bits). Supported 71.Fa AlgorithmName 72identifiers are: 73.Bl -tag -width indent 74.It ``dsa-hex:'' 75.It ``dsa-base64:'' 76.It ``rsa-hex:'' 77.It ``rsa-base64:'' 78.It ``x509-hex:'' 79.It ``x509-base64:'' 80.El 81.Pp 82Notice that the trailing colon is required. The resulting public key is 83stored in file 84.Fa PublicKeyFile . 85Similarly, the resulting private key is stored in file 86.Fa PrivateKeyFile . 87Either of the filenames can be specified to be ``-'', in which 88case the corresponding key(s) will be printed in standard output. 89.Pp 90The optional parameters 91.Fa print-offset 92and 93.Fa print-length 94specify the offset from the beginning of the line where the key 95will be printed, and the number of characters of the key that will 96be printed per line. 97.Fa print-length 98includes 99.Fa AlgorithmName 100for the first line and has to be longer (by at least 2) than 101.Fa AlgorithmName . 102.Fa print-length 103also accounts for the line-continuation character (backslash) at 104the end of each line, and the doublequotes at the beginning and end 105of the key encoding. Default values are 12 and 50 respectively. 106.Sh ASSERTION SIGNING 107"keynote sign" reads the assertion contained in 108.Fa AssertionFile 109and generates a signature specified by 110.Fa AlgorithmName 111using the private key stored in 112.Fa PrivateKeyFile . 113The private key is expected to be of the form output by 114"keynote keygen". The private key algorithm and the 115.Fa AlgorithmName 116specified as an argument are expected to match. There is no requirement 117for the internal or ASCII encodings to match. Valid 118.Fa AlgorithmName 119identifiers are: 120.Bl -tag -width indent 121.It ``sig-dsa-sha1-hex:'' 122.It ``sig-dsa-sha1-base64:'' 123.It ``sig-rsa-sha1-hex:'' 124.It ``sig-rsa-sha1-base64:'' 125.It ``sig-rsa-md5-hex:'' 126.It ``sig-rsa-md5-base64:'' 127.It ``sig-x509-sha1-hex:'' 128.It ``sig-x509-sha1-base64:'' 129.El 130.Pp 131Notice that the trailing colon is required. 132The resulting signature is printed in standard output. This can then 133be added (via cut-and-paste or some script) at the end of the 134assertion, in the 135.Fa Signature 136field. 137.Pp 138The public key corresponding to the private key in 139.Fa PrivateKeyFile 140is expected to already be included in the 141.Fa Authorizer 142field of the assertion, either directly or indirectly (i.e., through 143use of a 144.Fa Local-Constants 145attribute). Furthermore, the assertion must have a 146.Fa Signature 147field (even if it is empty), as the signature is computed on 148everything between the 149.Fa KeyNote-Version 150and 151.Fa Signature 152keywords (inclusive), and the 153.Fa AlgorithmName 154string. 155.Pp 156If the 157.Fl v 158flag is provided, "keynote sign" will also verify the newly-created 159signature using the 160.Fa Authorizer 161field key. 162.Pp 163The optional parameters 164.Fa print-offset 165and 166.Fa print-length 167specify the offset from the beginning of the line where the signature 168will be printed, and the number of characters of the signature that will 169be printed per line. 170.Fa print-length 171includes 172.Fa AlgorithmName 173for the first line and has to be longer (by at least 2) than 174.Fa AlgorithmName . 175.Fa print-length 176also accounts for the line-continuation character (backslash) at 177the end of each line, and the doublequotes at the beginning and end 178of the signature encoding. Default values are 12 and 50 respectively. 179.Sh SIGNATURE VERIFICATION 180"keynote sigver" reads the assertions contained in 181.Fa AssertionFile 182and verifies the public-key signatures on all of them. 183.Pp 184.Sh QUERY TOOL 185For each operand that names a 186.A file , 187"keynote verify" reads the file and parses the assertions contained 188therein (one assertion per file). 189.Pp 190Files given with the 191.Fl l 192flag are assumed to contain trusted assertions (no signature 193verification is performed, and the 194.Fa Authorizer 195field can contain non-key principals. 196There should be at least one assertion with the 197.Fa POLICY 198keyword in the 199.Fa Authorizer 200field. 201.Pp 202The 203.Fl r 204flag is used to provide a comma-separated list of return values, in 205increasing order of compliance from left to right. 206.Pp 207Files given with the 208.Fl e 209flag are assumed to contain environment variables and their values, 210in the format: 211.Bd -literal -offset indent 212 varname = "value" 213.Ed 214.Pp 215.Fa varname 216can begin with any letter (upper or lower case) or number, 217and can contain underscores. 218.Fa value 219is a quoted string, and can contain any character, and escape 220(backslash) processing is performed, as specified in the KeyNote 221RFC. 222.Pp 223The remaining options are: 224.Bl -tag -width indent 225.It Fl h 226Print a usage message and exit. 227.It Fl k Ar file 228Add a key from 229.Fa file 230in the action authorizers. 231.El 232.Pp 233Exactly one 234.Fl r 235and least one of each 236.Fl e , 237.Fl l , 238and 239.Fl k 240flags should be given per invocation. If no flags are given, 241"keynote verify" prints the usage message and exits with error code \-1. 242.Pp 243"keynote verify" exits with code \-1 if there was an error, and 0 on success. 244.Sh SEE ALSO 245.Xr keynote 3 , 246.Xr keynote 4 , 247.Xr keynote 5 248.Bl -tag -width "AAAAAAA" 249.It ``The KeyNote Trust-Management System, Version 2'' 250M. Blaze, J. Feigenbaum, A. D. Keromytis, 251Internet Drafts, RFC 2704. 252.It ``Decentralized Trust Management'' 253M. Blaze, J. Feigenbaum, J. Lacy, 2541996 IEEE Conference on Privacy and Security 255.It ``Compliance-Checking in the PolicyMaker Trust Management System'' 256M. Blaze, J. Feigenbaum, M. Strauss, 2571998 Financial Crypto Conference 258.El 259.Sh AUTHORS 260Angelos D. Keromytis (angelos@dsl.cis.upenn.edu) 261.Sh WEB PAGE 262http://www.cis.upenn.edu/~keynote 263.Sh BUGS 264None that we know of. 265If you find any, please report them at 266.Bd -literal -offset indent -compact 267keynote@research.att.com 268.Ed 269