diff --git a/kdc/bx509d.8 b/kdc/bx509d.8 index faf915a63..b0930f6c5 100644 --- a/kdc/bx509d.8 +++ b/kdc/bx509d.8 @@ -113,12 +113,12 @@ Uses a thread per-client instead of as many threads as there are CPUs. .Xc verbose .El -.Sh API +.Sh ONLINE CERTIFICATION AUTHORITY HTTP API This service provides an HTTP-based Certification Authority (CA). The protocol consists of a .Ar GET of -.Ar /bx509 +.Ar /get-cert with the base-63 encoding of a DER encoding of a PKCS#10 .Ar CertificationRequest (Certificate Signing Request, or CSR) in a @@ -127,6 +127,54 @@ required query parameter. In a successful query, the response body will contain a PEM encoded end entity certificate and certification chain. .Pp +Or +.Ar GET +of +.Ar /bx509 , +as this used to be called. +.Pp +Authentication is required. +Unauthenticated requests will elicit a 401 response. +.Pp +Authorization is required. +Unauthorized requests will elicit a 403 response. +.Pp +Subject Alternative Names (SANs) and Extended Key Usage values +may be requested, both in-band in the CSR as a requested +extensions attribute, and/or via optional query parameters. +.Pp +Supported query parameters (separated by ampersands) +.Bl -tag -width Ds -offset indent +.It Li csr = Va base64-encoded-DER-encoded-CSR +.It Li dNSName = Va hostname +.It Li rfc822Name = Va email-address +.It Li xMPPName = Va XMPP-address +.It Li krb5PrincipalName = Va Kerberos-principal-name +.It Li ms-upn = Va UPN +.It Li eku = Va OID +.It Li lifetime = Va lifetime +.El +.Pp +More than one name or EKU may be requested. +.Pp +Certificate lifetimes are expressed as a decimal number and +an optional unit (which defaults to +.Dq day +). +.Sh NEGOTIATE TOKEN HTTP API +This service provides an HTTP-based Negotiate token service. +The protocol consists of a +.Ar GET +of +.Ar /get-negotiate-token +with a +.Ar target = Ar service@host +query parameter. +.Pp +In a successful query, the response body will contain a Negotiate +token for the authenticated client principal to the requested +target. +.Pp Authentication is required. Unauthenticated requests will elicit a 401 response. .Pp @@ -136,22 +184,16 @@ extensions attribute, and/or via optional query parameters. .Pp Supported query parameters (separated by ampersands) .Bl -tag -width Ds -offset indent -.It Li csr = Va -.It Li dNSName = Va -.It Li rfc822Name = Va -.It Li xMPPName = Va -.It Li krb5PrincipalName = Va -.It Li ms-upn = Va -.It Li eku = Va -.It Li lifetime = Va +.It Li target = Va service@hostname +.It Li redirect = Va URI .El .Pp -More than one name or EKU may be requested. -.Pp -Certificate lifetimes are expressed as a decimal number and -an optional unit (which defaults to -.Dq day -). +If a redirect URI is given and a matching +.Va Referer +header is included in the request, then the response will be a +redirect to that URI with the Negotiate token in an +.Va Authorization +header that the user-agent should copy to the redirected request. .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev KRB5_CONFIG diff --git a/kdc/bx509d.c b/kdc/bx509d.c index f0ec639d5..d5b36dfb4 100644 --- a/kdc/bx509d.c +++ b/kdc/bx509d.c @@ -1670,9 +1670,11 @@ route(void *cls, ret = health(method, &r); else if (strcmp(method, "GET") != 0) ret = bad_405(&r, method); - else if (strcmp(url, "/bx509") == 0) + else if (strcmp(url, "/get-cert") == 0 || + strcmp(url, "/bx509") == 0) /* old name */ ret = bx509(&r); - else if (strcmp(url, "/bnegotiate") == 0) + else if (strcmp(url, "/get-negotiate-token") == 0 || + strcmp(url, "/bnegotiate") == 0) /* old name */ ret = bnegotiate(&r); else ret = bad_404(&r, url);