diff options
Diffstat (limited to 'doc/plugindev/certauth.rst')
-rw-r--r-- | doc/plugindev/certauth.rst | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst index 7a7a07700..3740c5f7b 100644 --- a/doc/plugindev/certauth.rst +++ b/doc/plugindev/certauth.rst @@ -13,16 +13,19 @@ A certauth module implements the **authorize** method to determine whether a client's certificate is authorized to authenticate a client principal. **authorize** receives the DER-encoded certificate, the requested client principal, and a pointer to the client's -krb5_db_entry (for modules that link against libkdb5). It returns the +krb5_db_entry (for modules that link against libkdb5). The method +must decode the certificate and inspect its attributes to determine if +it should authorize PKINIT authentication. It returns the authorization status and optionally outputs a list of authentication -indicator strings to be added to the ticket. Beginning in release -1.19, the authorize method can request that the hardware -authentication bit be set in the ticket by returning -**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize method -can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware -authentication bit be set in the ticket but otherwise defer authorization -to another certauth module. A module must use its own internal or -library-provided ASN.1 certificate decoder. +indicator strings to be added to the ticket. + +Beginning in release 1.19, the authorize method can request that the +hardware authentication bit be set in the ticket by returning +**KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize +method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the +hardware authentication bit be set in the ticket but otherwise defer +authorization to another certauth module. A module must use its own +internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the **init** and **fini** methods. Module data objects last for the |