public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
byte[] key = KeyGenerator.MakeKey(eType, password, salt);
this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key));
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.PA_ENC_TIMESTAMP);
// create an encrypted timestamp
PA_ENC_TIMESTAMP paEncTimeStamp =
new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
paEncTimeStamp.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data));
}
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName, AuthorizationData authData = null)
{
KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sName);
if (authData == null)
{
return(kdcReqBody);
}
Asn1BerEncodingBuffer asnEncBuffer = new Asn1BerEncodingBuffer();
authData.BerEncode(asnEncBuffer, true);
EncryptedData encryptData = new EncryptedData();
encryptData.etype = new KerbInt32(0);
byte[] encryptAsnEncoded = asnEncBuffer.Data;
if (this.Context.SessionKey != null && this.Context.SessionKey.keytype != null && this.Context.SessionKey.keyvalue != null && this.Context.SessionKey.keyvalue.Value != null)
{
encryptAsnEncoded = KerberosUtility.Encrypt(
(EncryptionType)this.Context.SessionKey.keytype.Value,
this.Context.SessionKey.keyvalue.ByteArrayValue,
encryptAsnEncoded,
(int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData
);
encryptData.etype = new KerbInt32(this.Context.SessionKey.keytype.Value);
}
encryptData.cipher = new Asn1OctetString(encryptAsnEncoded);
kdcReqBody.enc_authorization_data = encryptData;
return(kdcReqBody);
}
/// <summary>
/// Update the Authorization Data part in Ticket with new value.
/// </summary>
/// <param name="ticket">Ticket to be updated with new authorizationData</param>
/// <param name="key">The key that encrypts ticket part.</param>
/// <param name="authorizationData">New authorizationData to update.</param>
public static void UpdateAuthDataInTicket(Ticket ticket, byte[] key, AuthorizationData authorizationData)
{
EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value;
byte[] clearText = KerberosUtility.Decrypt(
encryptType,
key,
ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
// Decode the ticket.
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText);
EncTicketPart encTicketPart = new EncTicketPart();
encTicketPart.BerDecode(decodeBuffer);
// Set with new authorization data
encTicketPart.authorization_data = authorizationData;
Asn1BerEncodingBuffer ticketBerBuffer = new Asn1BerEncodingBuffer();
encTicketPart.BerEncode(ticketBerBuffer, true);
byte[] cipherData = KerberosUtility.Encrypt(
encryptType,
key,
ticketBerBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
ticket.enc_part = new EncryptedData(new KerbInt32((int)encryptType), null, new Asn1OctetString(cipherData));
}
/// <summary>
/// Client initialize with server token
/// </summary>
/// <param name="serverToken">Server token</param>
private void ClientInitialize(byte[] serverToken)
{
KerberosApResponse apRep = this.GetApResponseFromToken(serverToken, KerberosConstValue.GSSToken.GSSAPI);
this.VerifyApResponse(apRep);
token = null;
if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle)
{
KerberosApResponse apResponse = this.CreateApResponse(null);
var apBerBuffer = new Asn1BerEncodingBuffer();
if (apResponse.ApEncPart != null)
{
// Encode enc_part
apResponse.ApEncPart.BerEncode(apBerBuffer, true);
EncryptionKey key = this.Context.ApSessionKey;
if (key == null || key.keytype == null || key.keyvalue == null || key.keyvalue.Value == null)
{
throw new ArgumentException("Ap session key is not valid");
}
// Encrypt enc_part
EncryptionType eType = (EncryptionType)key.keytype.Value;
byte[] cipherData = KerberosUtility.Encrypt(
eType,
key.keyvalue.ByteArrayValue,
apBerBuffer.Data,
(int)KeyUsageNumber.AP_REP_EncAPRepPart);
apResponse.Response.enc_part = new EncryptedData(new KerbInt32((int)eType), null, new Asn1OctetString(cipherData));
}
// Encode AP Response
apResponse.Response.BerEncode(apBerBuffer, true);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
// In DCE mode, the AP-REP message MUST NOT have GSS-API wrapping.
// It is sent as is without encapsulating it in a header ([RFC2743] section 3.1).
this.token = apBerBuffer.Data;
}
else
{
this.token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays(
BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REP)),
apBerBuffer.Data));
}
}
this.needContinueProcessing = false; // SEC_E_OK;
}
/// <summary>
/// Create an instance.
/// </summary>
public KpasswordRequest(KerberosTicket ticket, Authenticator authenticator, string newPwd, bool isAuthErrorRequired = false)
{
//Create KerberosApRequest
long pvno = KerberosConstValue.KERBEROSV5;
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
KerberosApRequest ap_req = new KerberosApRequest(pvno, option, ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator);
//Create KRB_PRIV
ChangePasswdData pwd_data = new ChangePasswdData(new Asn1OctetString(newPwd), null, null);
priv_enc_part = new EncKrbPrivPart();
priv_enc_part.user_data = pwd_data.newpasswd;
priv_enc_part.usec = authenticator.cusec;
priv_enc_part.seq_number = authenticator.seq_number;
priv_enc_part.s_address = new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())));
Asn1BerEncodingBuffer asnBuffPriv = new Asn1BerEncodingBuffer();
priv_enc_part.BerEncode(asnBuffPriv, true);
byte[] encAsnEncodedPriv = null;
if (!isAuthErrorRequired)
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.KRB_PRIV_EncPart);
}
else
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.None);
}
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(authenticator.subkey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedPriv);
KRB_PRIV krb_priv = new KRB_PRIV(new Asn1Integer(pvno), new Asn1Integer((long)MsgType.KRB_PRIV), encrypted);
//Calculate the msg_length and ap_req_length
krb_priv.BerEncode(privBuffer, true);
ap_req.Request.BerEncode(apBuffer, true);
version = 0x0001;
ap_req_length = (ushort)apBuffer.Data.Length;
msg_length = (ushort)(ap_req_length + privBuffer.Data.Length + 3 * sizeof(ushort));
//Convert Endian
version = KerberosUtility.ConvertEndian(version);
ap_req_length = KerberosUtility.ConvertEndian(ap_req_length);
msg_length = KerberosUtility.ConvertEndian(msg_length);
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
var keyvalue = KeyGenerator.KrbFxCf2(
(EncryptionType)armorKey.keytype.Value,
armorKey.keyvalue.ByteArrayValue,
userLongTermKey.keyvalue.ByteArrayValue,
"clientchallengearmor",
"challengelongterm");
switch (type)
{
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
case EncryptionType.RC4_HMAC:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
default:
throw new ArgumentException("Unsupported encryption type.");
}
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);
EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
null,
new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
encryptedChallenge.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
}
public override void Encrypt(params SecurityBuffer[] securityBuffers)
{
KerberosUtility.Encrypt(client, securityBuffers);
}
