/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
this.ApRequestAuthenticator = authenticator;
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
this.client.UpdateContext(request);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
return(request.ToBytes());
}
else
{
return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
}
}
public static byte[] AddGssApiTokenHeader(KerberosApRequest request,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
byte[] encoded = request.ToBytes();
byte[] token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays(
BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REQ)), encoded), oidPkt, gssToken);
return(token);
}
/// <summary>
/// Client initialize with server token
/// </summary>
/// <param name="serverToken">Server token</param>
private void ClientInitialize(byte[] serverToken)
{
KerberosApResponse apRep = this.GetApResponseFromToken(serverToken, KerberosConstValue.GSSToken.GSSAPI);
this.VerifyApResponse(apRep);
token = null;
if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle)
{
KerberosApResponse apResponse = this.CreateApResponse(null);
var apBerBuffer = new Asn1BerEncodingBuffer();
if (apResponse.ApEncPart != null)
{
// Encode enc_part
apResponse.ApEncPart.BerEncode(apBerBuffer, true);
EncryptionKey key = this.Context.ApSessionKey;
if (key == null || key.keytype == null || key.keyvalue == null || key.keyvalue.Value == null)
{
throw new ArgumentException("Ap session key is not valid");
}
// Encrypt enc_part
EncryptionType eType = (EncryptionType)key.keytype.Value;
byte[] cipherData = KerberosUtility.Encrypt(
eType,
key.keyvalue.ByteArrayValue,
apBerBuffer.Data,
(int)KeyUsageNumber.AP_REP_EncAPRepPart);
apResponse.Response.enc_part = new EncryptedData(new KerbInt32((int)eType), null, new Asn1OctetString(cipherData));
}
// Encode AP Response
apResponse.Response.BerEncode(apBerBuffer, true);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
// In DCE mode, the AP-REP message MUST NOT have GSS-API wrapping.
// It is sent as is without encapsulating it in a header ([RFC2743] section 3.1).
this.token = apBerBuffer.Data;
}
else
{
this.token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays(
BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REP)),
apBerBuffer.Data));
}
}
this.needContinueProcessing = false; // SEC_E_OK;
}
