public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
byte[] key = KeyGenerator.MakeKey(eType, password, salt);
this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key));
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.PA_ENC_TIMESTAMP);
// create an encrypted timestamp
PA_ENC_TIMESTAMP paEncTimeStamp =
new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
paEncTimeStamp.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data));
}
private void DecryptTicket(EncryptionType type, byte[] sessionKey)
{
var ticketEncPartRawData = KerberosUtility.Decrypt(
type,
sessionKey,
Response.ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
TicketEncPart = new EncTicketPart();
TicketEncPart.BerDecode(new Asn1DecodingBuffer(ticketEncPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TicketEncPart",
"Encrypted Ticket in TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
ticketEncPartRawData);
}
/// <summary>
/// Decode TGS Response from bytes
/// </summary>
/// <param name="buffer">byte array to be decoded</param>
/// <exception cref="System.ArgumentNullException">thrown when input buffer is null</exception>
public override void FromBytes(byte[] buffer)
{
if (null == buffer)
{
throw new ArgumentNullException("buffer");
}
KerberosUtility.OnDumpMessage("KRB5:KrbMessage",
"Kerberos Message",
KerberosUtility.DumpLevel.WholeMessage,
buffer);
// Decode TGS Response
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(buffer);
Response.BerDecode(decodeBuffer);
}
public void DecryptTgsResponse(byte[] key, KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)usage);
EncPart = new EncTGSRepPart();
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TGS-REP(enc-part)",
"Encrypted part of TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
/// <summary>
/// Decode the Krb Error from bytes
/// </summary>
/// <param name="buffer">The byte array to be decoded.</param>
/// <exception cref="System.ArgumentNullException">thrown when input buffer is null</exception>
public override void FromBytes(byte[] buffer)
{
if (null == buffer)
{
throw new ArgumentNullException("buffer");
}
KerberosUtility.OnDumpMessage("KRB5:KrbMessage",
"Kerberos Message",
KerberosUtility.DumpLevel.WholeMessage,
buffer);
// Decode Krb Error
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(buffer);
this.KrbError.BerDecode(decodeBuffer);
ErrorCode = (KRB_ERROR_CODE)KrbError.error_code.Value;
}
/// <summary>
/// Decode AS Response from bytes
/// </summary>
/// <param name="buffer">the byte array to be decoded</param>
/// <exception cref="System.ArgumentNullException">thrown when input buffer is null</exception>
public override void FromBytes(byte[] buffer)
{
if (null == buffer)
{
throw new ArgumentNullException("buffer");
}
KerberosUtility.OnDumpMessage("KRB5:KrbMessage",
"Kerberos Message",
KerberosUtility.DumpLevel.WholeMessage,
buffer);
// Decode AS Response
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(buffer);
this.Response.BerDecode(decodeBuffer);
// Get the current encryption type, cipher data, session key
EncryptionType encryptType = (EncryptionType)this.Response.enc_part.etype.Value;
}
/// <summary>
/// Encode this class into byte array.
/// </summary>
/// <returns>The byte array of the class.</returns>
public override byte[] ToBytes()
{
Asn1BerEncodingBuffer tgsBerBuffer = new Asn1BerEncodingBuffer();
this.Request.BerEncode(tgsBerBuffer, true);
KerberosUtility.OnDumpMessage("KRB5:KrbMessage",
"Kerberos Message",
KerberosUtility.DumpLevel.WholeMessage,
tgsBerBuffer.Data);
if (transportType == TransportType.TCP)
{
return(KerberosUtility.WrapLength(tgsBerBuffer.Data, true));
}
else
{
return(tgsBerBuffer.Data);
}
}
public KerberosFastResponse GetKerberosFastRep(EncryptionKey key)
{
var armoredRep = GetArmoredRep();
var decrypted = KerberosUtility.Decrypt((EncryptionType)key.keytype.Value,
key.keyvalue.ByteArrayValue,
armoredRep.enc_fast_rep.cipher.ByteArrayValue,
(int)KeyUsageNumber.FAST_REP
);
KerberosUtility.OnDumpMessage("KRB5:KrbFastArmoredRep(enc-fast-req)",
"An encrypted KrbFastRep in PA_FX_FAST_REPLY",
KerberosUtility.DumpLevel.PartialMessage,
decrypted);
KrbFastResponse fastrep = new KrbFastResponse();
fastrep.BerDecode(new Asn1DecodingBuffer(decrypted));
return(new KerberosFastResponse(fastrep));
}
public void Decrypt(byte[] key)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var decoded = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AP_REP_EncAPRepPart);
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
decoded);
ApEncPart = new EncAPRepPart();
ApEncPart.BerDecode(new Asn1DecodingBuffer(decoded));
KerberosUtility.OnDumpMessage("KRB5:AP-REP(enc-part)",
"Encrypted part of AS-REP",
KerberosUtility.DumpLevel.PartialMessage,
decoded);
}
private void DecryptAsResponse(byte[] key)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
int keyUsage = (int)KeyUsageNumber.AS_REP_ENCRYPTEDPART;
if (encryptType == EncryptionType.RC4_HMAC)
{
keyUsage = (int)KeyUsageNumber.TGS_REP_encrypted_part;
}
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
keyUsage);
Asn1DecodingBuffer buf = new Asn1DecodingBuffer(encPartRawData);
Asn1Tag tag = null;
Asn1StandardProcedure.TagBerDecode(buf, out tag);
//Some implementations unconditionally send an encrypted EncTGSRepPart in the field
//regardless of whether the reply is an AS-REP or a TGS-REP.([RFC4120] Section 5.4.2)
if (tag.TagValue == 25) //EncAsRepPart
{
EncPart = new EncASRepPart();
}
else if (tag.TagValue == 26) //EncTgsRepPart
{
EncPart = new EncTGSRepPart();
}
else
{
throw new Exception("Unknown tag number");
}
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:AS-REP(enc-part)",
"Encrypted part of AS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
var keyvalue = KeyGenerator.KrbFxCf2(
(EncryptionType)armorKey.keytype.Value,
armorKey.keyvalue.ByteArrayValue,
userLongTermKey.keyvalue.ByteArrayValue,
"clientchallengearmor",
"challengelongterm");
switch (type)
{
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
case EncryptionType.RC4_HMAC:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
default:
throw new ArgumentException("Unsupported encryption type.");
}
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);
EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
null,
new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
encryptedChallenge.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
}
