diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/include/krb5/certauth_plugin.h | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h index 3466cf3..bba09b1 100644 --- a/src/include/krb5/certauth_plugin.h +++ b/src/include/krb5/certauth_plugin.h @@ -85,16 +85,22 @@ typedef void (*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata); /* - * Mandatory: return 0 or KRB5_CERTAUTH_HWAUTH if the DER-encoded cert is - * authorized for PKINIT authentication by princ; otherwise return one of the - * following error codes: + * Mandatory: decode cert as an X.509 certificate and determine whether it is + * authorized to authenticate as the requested client principal princ using + * PKINIT. Return 0 or KRB5_CERTAUTH_HWAUTH if the certificate is authorized. + * Otherwise return one of the following error codes: + * * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error - * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert + * - KRB5_PLUGIN_NO_HANDLE or KRB5_CERTAUTH_HWAUTH_PASS - the module has no + * opinion about whether cert is authorized * - * Returning KRB5_CERTAUTH_HWAUTH will cause the hw-authent flag to be set in - * the issued ticket (new in release 1.19). + * Returning KRB5_CERTAUTH_HWAUTH will authorize the PKINIT authentication and + * cause the hw-authent flag to be set in the issued ticket (new in release + * 1.19). Returning KRB5_CERTAUTH_HWAUTH_PASS does not authorize the PKINIT + * authentication, but causes the hw-authent flag to be set if another module + * authorizes it (new in release 1.20) * * - opts is used by built-in modules to receive internal data, and must be * ignored by other modules. |