OpenXPKI::Server::Authentication::X509 - certificate based authentication.
Use a certificate chain passed by the authenticator to authenticate the user.
This is an abstract base class, the actual challenge and extraction of the
chain is done in ChallengeX509 and ClientX509 class, the later validation
performs several steps:
* look up a suitable root certificate, either in the received
chain or in the database. * do a cryptographic validation on the chain. *
check if any of the certificates (entity, chain or root) is contained in the
trust anchor list.
Any failure results in an exception.
Create a list of trust anchor identifiers by calling get_trust_anchors
passing the config node trust_anchor as path argument.
returns a pair of (user, role, response_message) for a given login step. Noop -
needs to be implemented by the inherited classes.
realname: John Doe
# trust anchors (see also get_trust_anchors API method)
- cert_identifier of external ca cert
- name of alias groups
- The role assigned to the user, if not specified a user section that
returns the role is mandatory!
- Hash holding additional user information, usually implemented as a
connector reference, see below.
- The certificate property used as username. Supported values are:
- subject / dn
- The full subject/dn as string, this is also the default
- Serial in integer notation - as string
- The PEM encoded certificate
- cert_identifier / certid
- The cert_identifier.
Note: If you use certificates from an external CA you
will not be able to resolve the identifier back to any information
unless you import them into the certificate database!
- Any part that is set in the DN hash, if an attribute is multivalued the
first item is used.
- Definition of trust anchors used when validating the certificate, this
node is mandatory and must have at least one keywords supported by the
get_trust_anchors API method.
Allow all certiticates issued from the internal realm
user-ca and set their role to User. Set CN as username
Static role, extended user information from CN
Querys the given connector with the full DN as argument, expects a
hash that contains at least the key username, all other keys are made
available in the "userinfo" structure
(e.g. realname and emailaddress).
Similar to above but as role is not set in the config the
hash returned by the connector must also contain role. As arg
is also not set the query parameter given to the connector is only the