diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2013-07-15 13:11:00 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-07-17 14:57:11 -0400 |
| commit | e8b63198029c632d097822104d6e17c9a67ef1a5 (patch) | |
| tree | ea37cbd8f9593d390db92810ccf2aad96a4b767a /src/include | |
| parent | 8899397ab78ea09b8d7dbb20347dd12c93eb15ee (diff) | |
| download | krb5-e8b63198029c632d097822104d6e17c9a67ef1a5.tar.gz krb5-e8b63198029c632d097822104d6e17c9a67ef1a5.tar.xz krb5-e8b63198029c632d097822104d6e17c9a67ef1a5.zip | |
Pass PKINIT identity prompts to the responder cb
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.
Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.
Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.
ticket: 7680
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/krb5/krb5.hin | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 270ad82497..faeabc7152 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -6485,6 +6485,50 @@ krb5_prompter_posix(krb5_context context, void *data, const char *name, #define KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN 0x0008 /** + * PKINIT responder question + * + * The PKINIT responder question is asked when the client needs a password + * that's being used to protect key information, and is formatted as a JSON + * object. A specific identity's flags value, if not zero, is the bitwise-OR + * of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined + * below, and possibly other flags to be added later. Any resemblance to + * similarly-named CKF_* values in the PKCS#11 API should not be depended on. + * + * @n { + * @n identity <string> : flags <number>, + * @n ... + * @n } + * + * The answer to the question MUST be JSON formatted: + * + * @n { + * @n identity <string> : password <string>, + * @n ... + * @n } + * + * @version New in 1.12 + */ +#define KRB5_RESPONDER_QUESTION_PKINIT "pkinit" + +/** + * This flag indicates that an incorrect PIN was supplied at least once since + * the last time the correct PIN was supplied. + */ +#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (1 << 0) + +/** + * This flag indicates that supplying an incorrect PIN will cause the token to + * lock itself. + */ +#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (1 << 1) + +/** + * This flag indicates that the user PIN is locked, and you can't log in to the + * token with it. + */ +#define KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (1 << 2) + +/** * A container for a set of preauthentication questions and answers * * A responder context is supplied by the krb5 authentication system to a @ref |