internal static KrbPaEncTsEnc Now()
{
var ts = new KrbPaEncTsEnc();
KerberosConstants.Now(out ts.PaTimestamp, out ts.PaUSec);
return(ts);
}
/// <summary>
/// Applies credential-specific changes to the KDC-REQ message and is what supplies the PKINIT properties to the request.
/// </summary>
/// <param name="req">The <see cref="KrbKdcReq"/> that will be modified.</param>
public override void TransformKdcReq(KrbKdcReq req)
{
agreement = StartKeyAgreement();
// We don't support the straight RSA mode because
// it doesn't rely on ephemeral key agreement
// which isn't great security-wise
if (agreement == null)
{
throw OnlyKeyAgreementSupportedException();
}
var padata = req.PaData.ToList();
KrbAuthPack authPack;
if (SupportsEllipticCurveDiffieHellman)
{
authPack = CreateEllipticCurveDiffieHellmanAuthPack(req.Body);
}
else if (SupportsDiffieHellman)
{
authPack = CreateDiffieHellmanAuthPack(req.Body);
}
else
{
throw OnlyKeyAgreementSupportedException();
}
KerberosConstants.Now(out authPack.PKAuthenticator.CTime, out authPack.PKAuthenticator.CuSec);
SignedCms signed = new SignedCms(
new ContentInfo(
IdPkInitAuthData,
authPack.Encode().ToArray()
)
);
var signer = new CmsSigner(Certificate)
{
IncludeOption = IncludeOption
};
signed.ComputeSignature(signer, silent: true);
var pk = new KrbPaPkAsReq {
SignedAuthPack = signed.Encode()
};
padata.Add(new KrbPaData
{
Type = PaDataType.PA_PK_AS_REQ,
Value = pk.Encode()
});
req.PaData = padata.ToArray();
}
public override void TransformKdcReq(KrbKdcReq req)
{
var padata = req.PaData.ToList();
KrbAuthPack authPack;
if (SupportsEllipticCurveDiffieHellman)
{
authPack = CreateEllipticCurveDiffieHellmanAuthPack(req.Body);
}
else if (SupportsDiffieHellman)
{
authPack = CreateDiffieHellmanAuthPack(req.Body);
}
else
{
throw OnlyKeyAgreementSupportedException();
}
KerberosConstants.Now(out authPack.PKAuthenticator.CTime, out authPack.PKAuthenticator.CuSec);
SignedCms signed = new SignedCms(
new ContentInfo(
IdPkInitAuthData,
authPack.Encode().ToArray()
)
);
var signer = new CmsSigner(Certificate)
{
IncludeOption = IncludeOption
};
signed.ComputeSignature(signer, silent: true);
var pk = new KrbPaPkAsReq {
SignedAuthPack = signed.Encode()
};
padata.Add(new KrbPaData
{
Type = PaDataType.PA_PK_AS_REQ,
Value = pk.Encode()
});
req.PaData = padata.ToArray();
}