tlshd: man update for TLS session tags

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Author: chucklever

src/tlshd/etc/Makefile.am

@@ -23,7 +23,8 @@ tlshdconfig_DATA	= config
 tlshdtags_DATA		= tags.example
 
 man5_MANS		= tlshd.conf.man
-EXTRA_DIST		= $(man5_MANS)
+man7_MANS		= tls-session-tags.man
+EXTRA_DIST		= $(man5_MANS) $(man7_MANS)
 
 MAINTAINERCLEANFILES	= Makefile.in
 

src/tlshd/etc/tls-session-tags.man

@@ -0,0 +1,168 @@
+.\"
+.\" Copyright (c) 2025 Oracle and/or its affiliates.
+.\"
+.\" ktls-utils is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; version 2.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+.\" 02110-1301, USA.
+.\"
+.\" tls-session-tags(7)
+.\"
+.TH tls-session-tags 7 "5 Aug 2025"
+.SH NAME
+tls-session-tags \- TLS session tags
+.SH SYNOPSIS
+.B /etc/tlsd/tags.d
+.SH DESCRIPTION
+The
+.B tlshd
+program implements a user agent that services TLS handshake requests
+on behalf of kernel TLS consumers.
+Its configuration files, found under the
+.I /etc/tlshd
+directory, contain information that the
+.B tlshd
+program reads when it starts up.
+The configuration files direct the
+.B tlshd
+program to information about which trust store and signing
+and encryption algorithms are to be used.
+The configuration files are considered a trusted source of information.
+.P
+When a remote presents an x.509 certificate during a TLS handshake, the
+.B tlshd
+program is responsible for verifying that the certificate was
+issued by a certificate authority that the receiver recognizes and
+trusts.
+Once that verification is successful, the receiver can trust
+the content of that certificate, including information about
+the peer identity presented in that certificate (eg. a DNS hostname
+or IP address, and so on).
+.P
+Once a peer's certificate is trusted,
+the
+.B tlshd
+program can be configured to scan the fields in the peer's certificate.
+Based on the scan,
+the
+.B tlshd
+program can assign tags to the new TLS session that
+indicate that the server recognizes the peer's identity.
+For example,
+the
+.B tlshd
+program can be configured to look for a specific string in
+.I subject
+fields, and assign tags to TLS sessions where the peer presented
+a certificate with matching content in that field.
+Kernel consumers can use those tags to authorize or deny access
+to resources based on the identity presented in peer certificates.
+.P
+The following sections describe how to configure this facility.
+.SH FORMAT
+TLS session tag definitions are YAML documents stored in files under the
+.I /etc/tlshd/tags.d
+directory.
+When it launches, the
+.B tlshd
+program reads all files in that directory with either the
+.I .yml
+or
+.I .yaml
+extension.
+Thus changes made in these files take effect only when the
+.B tlshd
+program is restarted.
+.P
+The
+.B tlshd
+program
+populates two dictionaries from the contents of these files:
+.TP
+.B filters
+Each filter defined in this dictionary specifies the name of a
+field in an x.509 certificate, and the conditions under which the
+contents of that field are a "match".
+.TP
+.B tags
+Each tag is a list of filters (defined in the
+.B filters
+dictionary)
+that all must be matched in order for the tag to be assigned to a new
+TLS session.
+.SS Filters
+The definition of a filter is small YAML dictionary (or mapping) that
+specifies the name of the filter, the certificate field it scans, and
+the condition that defines a "match". For example:
+
+  monsters-university:
+    field: "issuer"
+    type: "wildcard"
+    expression: "*,O=Monsters University,*"
+
+This defines a filter named "monsters-university".
+It uses a wildcard match to look for "O=Monsters Univerity" in
+each certificate's "issuer" field.
+The string value of the
+.I field
+key can be the name of any x.509 certificate field (though not
+all fields are supported yet).
+The string value of the
+.I type
+key is one of "exact", "wildcard", "regex", or "list".
+
+When the value of
+.I type
+is "exact", "wildcard", or "regex",
+the
+.I expression
+value is a string that is to be matched against.
+When the value of
+.I type
+is "list", the
+.I expression
+value is a list of x.509 keyUsage bit names.
+.SS Tags
+The definition of a tag is a small YAML dictionary that specifies
+the name of the tag and a list of filters (as defined in the Filters
+mapping, above) that all must match for the tag to be assigned to
+a TLS session. For example:
+
+  ror-mu-chapter:
+    filter:
+      - "monsters-univerity"
+      - "fraternity-ror"
+
+This defines a tag named "ror-mu-chapter".
+Both the "monsters-university" and "fraternity-ror" filters must
+match in order for the
+.B tlshd
+program to assign this tag to an incoming TLS session.
+.SS Handshake completion
+Once a handshake is successful, the
+.B tlshd
+program scans the peer's certificate using the configured filter and
+tag definitions.
+Any tag matches are attached to the new TLS session and are made
+visible to the kernel consumer that is to use the session.
+Note that filter names are not exposed to kernel consumers.
+.SH STANDARDS
+x.509
+.BR
+RFC 5280
+.BR
+RFC 6125
+.SH SEE ALSO
+.BR tlshd (8),
+.BR tlshd.conf (5)
+.SH AUTHOR
+Chuck Lever

src/tlshd/etc/tlshd.conf.man

@@ -126,6 +126,7 @@ a handshake request when no other certificate is available.
 This option specifies the pathname of a file containing
 a PEM-encoded private key associated with the above certificate.
 .SH SEE ALSO
-.BR tlshd (8)
+.BR tlshd (8),
+.BR tls-session-tags (7)
 .SH AUTHOR
 Chuck Lever