bx509d: Allow requesting longer cert lifetimes

Add a `lifetime=NUMunit` query parameter. Also add a krb5.conf parameter to indicate whether this is allowed. We already have a max lifetime configuration parameter.
2021-03-07 22:20:06 -06:00
parent 00e0475ce2
commit fbb1a4e3ec
7 changed files with 105 additions and 14 deletions
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -827,9 +827,30 @@ for non-default client and server certificates.
 and where the parameters are as follows:
 .Bl -tag -width "xxx" -offset indent
 .It Li ca = Va file
-Specifies the PEM credentials for the kx509 certification
-authority.  If not specified for any specific use-case, then that
-use-case will be disabled.
+Specifies the PEM credentials for the kx509 / bx509d certification
+authority.
+If not specified for any specific use-case, then that use-case
+will be disabled.
+.It Li max_cert_lifetime = Va NUMunit
+Specifies the maximum certificate lifetime as a decimal number
+and an optional unit (the default unit is
+.Dq day
+).
+.It Li force_cert_lifetime = Va NUMunit
+Specifies a minimum certificate lifetime as a decimal number and
+an optional unit (the default unit is
+.Dq day
+).
+.It Li allow_extra_lifetime = Va boolean
+Indicates whether a client may request longer lifetimes than
+their authentication credentials.
+Defaults to false.
+If a
+.Li force_cert_lifetime
+is specified, then
+.Li allow_extra_lifetime
+is implicitly forced to
+.Va true .
 .It Li require_initial_kca_tickets = Va boolean
 Specified whether to require that tickets for the
 .Li kca_service