diff options
| author | Greg Hudson <ghudson@mit.edu> | 2022-01-25 18:09:21 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2022-03-02 17:01:59 -0500 |
| commit | f5581b25d0476ec02c87e89b1211e8fd7659a57a (patch) | |
| tree | 8115b9465238bd6ed328729126dd061877282572 /doc | |
| parent | 06e108a5eeb967361493ef1924ce7334f00cccc0 (diff) | |
| download | krb5-f5581b25d0476ec02c87e89b1211e8fd7659a57a.zip krb5-f5581b25d0476ec02c87e89b1211e8fd7659a57a.tar.gz krb5-f5581b25d0476ec02c87e89b1211e8fd7659a57a.tar.bz2 | |
Clarify certauth interface documentation
Try to make it clearer that princ is the requested client principal,
not a principal extracted from the certificate, and that the module
must decode the certificate and inspect its attributes. Document
KRB5_CERTAUTH_HWAUTH_PASS in certauth_plugin.h.
ticket: 9051 (new)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/plugindev/certauth.rst | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst index 7a7a077..3740c5f 100644 --- a/doc/plugindev/certauth.rst +++ b/doc/plugindev/certauth.rst @@ -13,16 +13,19 @@ A certauth module implements the **authorize** method to determine whether a client's certificate is authorized to authenticate a client principal. **authorize** receives the DER-encoded certificate, the requested client principal, and a pointer to the client's -krb5_db_entry (for modules that link against libkdb5). It returns the +krb5_db_entry (for modules that link against libkdb5). The method +must decode the certificate and inspect its attributes to determine if +it should authorize PKINIT authentication. It returns the authorization status and optionally outputs a list of authentication -indicator strings to be added to the ticket. Beginning in release -1.19, the authorize method can request that the hardware -authentication bit be set in the ticket by returning -**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize method -can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware -authentication bit be set in the ticket but otherwise defer authorization -to another certauth module. A module must use its own internal or -library-provided ASN.1 certificate decoder. +indicator strings to be added to the ticket. + +Beginning in release 1.19, the authorize method can request that the +hardware authentication bit be set in the ticket by returning +**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize +method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the +hardware authentication bit be set in the ticket but otherwise defer +authorization to another certauth module. A module must use its own +internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the **init** and **fini** methods. Module data objects last for the |