Blame doc/plugindev/certauth.rst
|
Packit |
fd8b60 |
.. _certauth_plugin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
PKINIT certificate authorization interface (certauth)
|
|
Packit |
fd8b60 |
=====================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The certauth interface was first introduced in release 1.16. It
|
|
Packit |
fd8b60 |
allows customization of the X.509 certificate attribute requirements
|
|
Packit |
fd8b60 |
placed on certificates used by PKINIT enabled clients. For a detailed
|
|
Packit |
fd8b60 |
description of the certauth interface, see the header file
|
|
Packit |
fd8b60 |
``<krb5/certauth_plugin.h>``
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A certauth module implements the **authorize** method to determine
|
|
Packit |
fd8b60 |
whether a client's certificate is authorized to authenticate a client
|
|
Packit |
fd8b60 |
principal. **authorize** receives the DER-encoded certificate, the
|
|
Packit |
fd8b60 |
requested client principal, and a pointer to the client's
|
|
Packit |
fd8b60 |
krb5_db_entry (for modules that link against libkdb5). It returns the
|
|
Packit |
fd8b60 |
authorization status and optionally outputs a list of authentication
|
|
Packit Service |
a81408 |
indicator strings to be added to the ticket. A module must use its
|
|
Packit Service |
a81408 |
own internal or library-provided ASN.1 certificate decoder.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can optionally create and destroy module data with the
|
|
Packit |
fd8b60 |
**init** and **fini** methods. Module data objects last for the
|
|
Packit |
fd8b60 |
lifetime of the KDC process.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If a module allocates and returns a list of authentication indicators
|
|
Packit |
fd8b60 |
from **authorize**, it must also implement the **free_ind** method
|
|
Packit |
fd8b60 |
to free the list.
|