Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
OpenXPKI::Server::AuthUsercContributedpPeXPKI::Server::Authentication::X509(3)

Name
       OpenXPKI::Server::Authentication::X509 -	certificate based
       authentication.

Description
       Use a certificate chain passed by the authenticator to authenticate the
       user.  This is an abstract base class, the actual challenge and
       extraction of the chain is done in ChallengeX509	and ClientX509 class,
       the later validation performs several steps:

       * look up a suitable root certificate, either in	the received chain or
       in the database.	 * do a	cryptographic validation on the	chain.	*
       check if	any of the certificates	(entity, chain or root)	is contained
       in the trust anchor list.

       Any failure results in an exception.

Functions
   _load_anchors
       Create a	list of	trust anchor identifiers by calling get_trust_anchors
       passing the config node trust_anchor as path argument.

   login_step
       returns a pair of (user,	role, response_message)	for a given login
       step. Noop - needs to be	implemented by the inherited classes.

configuration
       Signature:
	   type: ChallengeX509
	   label: Signature
	   description:
       I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_SIGNATURE
	   role: User
	   user:
	       John Doe:
		   username: jdoe
		   realname: John Doe
	   arg:	cn
	   # trust anchors (see	also get_trust_anchors API method)
	   trust_anchor:
	       realm:
		- my_client_auth_realm
	       cacert:
		- cert_identifier of external ca cert
	       alias:
		- name of alias	groups

   parameters
       role
	   The role assigned to	the user, if not specified a user section that
	   returns the role is mandatory!

       user
	   Hash	holding	additional user	information, usually implemented as a
	   connector reference,	see below.

       arg The certificate property used as username. Supported	values are:

	   subject / dn
	       The full	subject/dn as string, this is also the default

	   serial
	       Serial in integer notation - as string

	   certificate
	       The PEM encoded certificate

	   *   Any part	that is	set in the DN hash, if an attribute is
	       multivalued the first item is used.

       trust_anchor
	   Definition of trust anchors used when validating the	certificate,
	   this	node is	mandatory and must have	at least one keywords
	   supported by	the get_trust_anchors API method.

   Examples
       Static

       Allow all certiticates issued from the internal realm user-ca and set
       their role to User. Set CN as username (default).

	   type: ClientX509
	   label: Client Certificate Auth
	   role: User
	   trust_anchor:
	       realm: user-ca

       Static role, extended user information from CN

       Querys the given	connector with the full	DN as argument,	expects	a hash
       that contains at	least the key username,	all other keys are made
       available in the	"userinfo" structure (e.g. realname and	emailaddress).

	   type: ClientX509
	   label: Client Certificate Auth
	   role: User
	   user@: connector:my.user.info.source
	   arg:	subject
	   trust_anchor:
	       realm: user-ca

       Dynamic role

       Similar to above	but as role is not set in the config the hash returned
       by the connector	must also contain role.	As arg is also not set the
       query parameter given to	the connector is only the common name.

	   type: ClientX509
	   label: Client Certificate Auth
	   user@: connector:my.user.info.source
	   trust_anchor:
	       realm: user-ca

perl v5.32.0			  202OpenXPKI::Server::Authentication::X509(3)

Name | Description | Functions | configuration

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=OpenXPKI::Server::Authentication::X509&sektion=3&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help