GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
OpenXPKI::Server::Authentication::X509(3) User Contributed Perl Documentation OpenXPKI::Server::Authentication::X509(3)

OpenXPKI::Server::Authentication::X509 - certificate based authentication.

Use a certificate chain passed by the authenticator to authenticate the user. This is an abstract base class, the actual challenge and extraction of the chain is done in ChallengeX509 and ClientX509 class, the later validation performs several steps:

* look up a suitable root certificate, either in the received chain or in the database. * do a cryptographic validation on the chain. * check if any of the certificates (entity, chain or root) is contained in the trust anchor list.

Any failure results in an exception.

Create a list of trust anchor identifiers by calling get_trust_anchors passing the config node trust_anchor as path argument.

returns a pair of (user, role, response_message) for a given login step. Noop - needs to be implemented by the inherited classes.

Signature: type: ChallengeX509 label: Signature description: I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_SIGNATURE role: User user: John Doe: username: jdoe realname: John Doe arg: cn # trust anchors (see also get_trust_anchors API method) trust_anchor: realm: - my_client_auth_realm cacert: - cert_identifier of external ca cert alias: - name of alias groups

    trust_rule:
        rule1:
            profile: tls_client
            meta_auth_attribute: value

role
The role assigned to the user, if not specified a user section that returns the role is mandatory!
user
Hash holding additional user information, usually implemented as a connector reference, see below.
arg
The certificate property used as username. Supported values are:
subject / dn
The full subject/dn as string, this is also the default
serial
Serial in integer notation - as string
certificate
The PEM encoded certificate
cert_identifier / certid
The cert_identifier.

Note: If you use certificates from an external CA you will not be able to resolve the identifier back to any information unless you import them into the certificate database!

*
Any part that is set in the DN hash, if an attribute is multivalued the first item is used.
trust_anchor
Definition of trust anchors used when validating the certificate, this node is mandatory and must have at least one keywords supported by the get_trust_anchors API method.

Static

Allow all certiticates issued from the internal realm user-ca and set their role to User. Set CN as username (default).

    type: ClientX509
    role: User
    trust_anchor:
        realm: user-ca

Static role, extended user information from CN

Querys the given connector with the full DN as argument, expects a hash that contains at least the key username, all other keys are made available in the "userinfo" structure (e.g. realname and emailaddress).

    type: ClientX509
    role: User
    user@: connector:my.user.info.source
    arg: subject
    trust_anchor:
        realm: user-ca

Dynamic role

Similar to above but as role is not set in the config the hash returned by the connector must also contain role. As arg is also not set the query parameter given to the connector is only the common name.

    type: ClientX509
    user@: connector:my.user.info.source
    trust_anchor:
        realm: user-ca
2022-05-14 perl v5.32.1

Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.