|
Packit |
fd8b60 |
.. _certauth_plugin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
PKINIT certificate authorization interface (certauth)
|
|
Packit |
fd8b60 |
=====================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The certauth interface was first introduced in release 1.16. It
|
|
Packit |
fd8b60 |
allows customization of the X.509 certificate attribute requirements
|
|
Packit |
fd8b60 |
placed on certificates used by PKINIT enabled clients. For a detailed
|
|
Packit |
fd8b60 |
description of the certauth interface, see the header file
|
|
Packit |
fd8b60 |
``<krb5/certauth_plugin.h>``
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A certauth module implements the **authorize** method to determine
|
|
Packit |
fd8b60 |
whether a client's certificate is authorized to authenticate a client
|
|
Packit |
fd8b60 |
principal. **authorize** receives the DER-encoded certificate, the
|
|
Packit |
fd8b60 |
requested client principal, and a pointer to the client's
|
|
Packit |
fd8b60 |
krb5_db_entry (for modules that link against libkdb5). It returns the
|
|
Packit |
fd8b60 |
authorization status and optionally outputs a list of authentication
|
|
rpm-build |
b4cfc7 |
indicator strings to be added to the ticket. Beginning in release
|
|
rpm-build |
b4cfc7 |
1.19, the authorize method can request that the hardware
|
|
rpm-build |
b4cfc7 |
authentication bit be set in the ticket by returning
|
|
rpm-build |
b4cfc7 |
**KRB5_CERTAUTH_HWAUTH**. A module must use its own internal or
|
|
rpm-build |
b4cfc7 |
library-provided ASN.1 certificate decoder.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can optionally create and destroy module data with the
|
|
Packit |
fd8b60 |
**init** and **fini** methods. Module data objects last for the
|
|
Packit |
fd8b60 |
lifetime of the KDC process.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If a module allocates and returns a list of authentication indicators
|
|
Packit |
fd8b60 |
from **authorize**, it must also implement the **free_ind** method
|
|
Packit |
fd8b60 |
to free the list.
|