summaryrefslogtreecommitdiff
path: root/doc/plugindev/certauth.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/plugindev/certauth.rst')
-rw-r--r--doc/plugindev/certauth.rst27
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
new file mode 100644
index 000000000000..8a7f7c5ebad6
--- /dev/null
+++ b/doc/plugindev/certauth.rst
@@ -0,0 +1,27 @@
+.. _certauth_plugin:
+
+PKINIT certificate authorization interface (certauth)
+=====================================================
+
+The certauth interface was first introduced in release 1.16. It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients. For a detailed
+description of the certauth interface, see the header file
+``<krb5/certauth_plugin.h>``
+
+A certauth module implements the **authorize** method to determine
+whether a client's certificate is authorized to authenticate a client
+principal. **authorize** receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5_db_entry (for modules that link against libkdb5). It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket. A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+**init** and **fini** methods. Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from **authorize**, it must also implement the **free_ind** method
+to free the list.
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-22 13:04:12 +0000