|keynote(1)||command line tool for keynote operations|
|keynote(4)||a trust-management system|
|keynote, kn_init, kn_add_action, kn_add_assertion, kn_add_authorizer, kn_cleanup_action_environment, kn_close, kn_decode_base64, kn_decode_hex, kn_decode_key, kn_do_query, kn_encode_base64, kn_encode_hex, kn_encode_key, kn_free_key, kn_get_authorizer, kn_get_failed, kn_get_licensees, kn_get_string, kn_keycompare, kn_query, kn_read_asserts, kn_remove_action, kn_remove_assertion, kn_remove_authorizer, kn_sign_assertion, kn_verify_assertion(3)||a trust-management system library|
|KEYNOTE(1)||General Commands Manual||KEYNOTE(1)|
keynote — command
line tool for keynote operations
For more details on
KeyNote, see RFC
creates a public/private key of size KeySize (in
bits), for the algorithm specified by AlgorithmName.
Typical keysizes are 512, 1024, or 2048 (bits). The minimum key size for DSA
keys is 512 (bits). Supported AlgorithmName
Notice that the trailing colon is required. The resulting public key is stored in file PublicKeyFile. Similarly, the resulting private key is stored in file PrivateKeyFile. Either of the filenames can be specified to be ‘-’, in which case the corresponding key(s) will be printed to standard output.
The optional parameters print-offset and print-length specify the offset from the beginning of the line where the key will be printed, and the number of characters of the key that will be printed per line. print-length includes AlgorithmName for the first line and has to be longer (by at least 2) than AlgorithmName. print-length also accounts for the line-continuation character (backslash) at the end of each line, and the double quotes at the beginning and end of the key encoding. Default values are 12 and 50 respectively.
the assertion contained in AssertionFile and generates
a signature specified by AlgorithmName using the
private key stored in PrivateKeyFile. The private key
is expected to be of the form output by
keygen. The private key algorithm and the
AlgorithmName specified as an argument are expected to
match. There is no requirement for the internal or ASCII encodings to match.
Valid AlgorithmName identifiers are:
Notice that the trailing colon is required. The resulting signature is printed to standard output. This can then be added (via cut-and-paste or some script) at the end of the assertion, in the Signature field.
The public key corresponding to the private key in PrivateKeyFile is expected to already be included in the Authorizer field of the assertion, either directly or indirectly (i.e., through use of a Local-Constants attribute). Furthermore, the assertion must have a Signature field (even if it is empty), as the signature is computed on everything between the KeyNote-Version and Signature keywords (inclusive), and the AlgorithmName string.
-v flag is provided,
sign will also
verify the newly-created signature using the
Authorizer field key.
The optional parameters print-offset and print-length specify the offset from the beginning of the line where the signature will be printed, and the number of characters of the signature that will be printed per line. print-length includes AlgorithmName for the first line and has to be longer (by at least 2) than AlgorithmName. print-length also accounts for the line-continuation character (backslash) at the end of each line, and the double quotes at the beginning and end of the signature encoding. Default values are 12 and 50 respectively.
reads the assertions contained in AssertionFile and
verifies the public-key signatures on all of them.
For each operand that names a file,
verify reads the
file and parses the assertions contained therein (one assertion per
The options are as follows:
varname = "value"
varname can begin with any letter (upper or lower case) or number, and can contain underscores. value is a quoted string, and can contain any character, and escape (backslash) processing is performed, as specified in the KeyNote RFC.
-r and at least one each of
-k flags should be given per invocation. If no flags
prints the usage message and exits with error code -1.
exits with code -1 if there was an error, and 0 on success.
M. Blaze, J. Feigenbaum, and J. Lacy, Decentralized Trust Management, IEEE Symposium on Security and Privacy, 1996.
M. Blaze, J. Feigenbaum, and M. Strauss, Compliance-Checking in the PolicyMaker Trust Management System, Financial Crypto Conference, 1998.
M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis, The KeyNote Trust-Management System Version 2, RFC 2704, September 1999.
Angelos D. Keromytis <email@example.com>
|November 20, 2015||OpenBSD-current|