public static void UpdateAuthDataInTicket(Ticket ticket, byte[] key, AuthorizationData authorizationData)
{
EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value;
byte[] clearText = KileUtility.Decrypt(
encryptType,
key,
ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
// Decode the ticket.
var decodeBuffer = new Asn1DecodingBuffer(clearText);
var encTicketPart = new EncTicketPart();
encTicketPart.BerDecode(decodeBuffer);
// Set with new authorization data
encTicketPart.authorization_data = authorizationData;
var ticketBerBuffer = new Asn1BerEncodingBuffer();
encTicketPart.BerEncode(ticketBerBuffer, true);
byte[] cipherData = KileUtility.Encrypt(
encryptType,
key,
ticketBerBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
ticket.enc_part = new EncryptedData(new KerbInt32((int)encryptType), null, new Asn1OctetString(cipherData));
}
/// <summary>
/// Construct PA_TGS_REQ for TGS request.
/// </summary>
/// <param name="cRealm">This field contains the name of the realm in which the client is registered and in
/// which initial authentication took place.</param>
/// <param name="cName">This field contains the name part of the client's principal identifier.</param>
/// <param name="checksumType">The checksum type in Authenticator.</param>
/// <param name="checksumBody">The data to compute checksum.</param>
/// <returns>The constructed PaData.</returns>
private PA_DATA ConstructTgsPaData(Realm cRealm, PrincipalName cName, ChecksumType checksumType, byte[] checksumBody)
{
AP_REQ request = new AP_REQ();
KerbAuthDataTokenRestrictions adRestriction =
ConstructKerbAuthDataTokenRestrictions(0,
(uint)LSAP_TOKEN_INFO_INTEGRITY_Flags.FULL_TOKEN,
(uint)LSAP_TOKEN_INFO_INTEGRITY_TokenIL.Medium,
new Guid().ToString());
AuthorizationData authData = ConstructAuthorizationData(adRestriction);
// create and encrypt authenticator
Authenticator authenticator = CreateAuthenticator(cRealm,
cName,
checksumType,
0,
0,
null,
authData,
context.TgsSessionKey,
checksumBody);
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
byte[] encAsnEncodedAuth =
KileUtility.Encrypt((EncryptionType)context.TgsSessionKey.keytype.Value,
context.TgsSessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator);
request.authenticator = new EncryptedData();
request.authenticator.etype = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32(context.TgsSessionKey.keytype.Value);
request.authenticator.cipher = new Asn1OctetString(encAsnEncodedAuth);
// create AP request
request.ap_options = new APOptions(KileUtility.ConvertInt2Flags((int)ApOptions.None));
request.msg_type = new Asn1Integer((int)MsgType.KRB_AP_REQ);
request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
request.ticket = context.TgsTicket;
Asn1BerEncodingBuffer apBerBuffer = new Asn1BerEncodingBuffer();
request.BerEncode(apBerBuffer, true);
return(new PA_DATA(new KerbInt32((int)PaDataType.PA_TGS_REQ), new Asn1OctetString(apBerBuffer.Data)));
}
public override void Encrypt(params SecurityBuffer[] securityBuffers)
{
KileUtility.Encrypt(server, securityBuffers);
}
public KileTgsRequest CreateTgsRequest(
Realm cRealm,
PrincipalName cName,
PrincipalName sName,
KRBFlags kdcOptions,
KerbUInt32 nonce,
Realm realm,
Asn1SequenceOf <PA_DATA> paData,
ChecksumType checksumType,
Ticket additionalTicket,
AuthorizationData authorizationData)
{
if (cRealm == null)
{
throw new ArgumentNullException("cRealm");
}
if (cName == null)
{
throw new ArgumentNullException("cName");
}
if (sName == null)
{
throw new ArgumentNullException("sName");
}
if (realm == null)
{
throw new ArgumentNullException("realm");
}
KileTgsRequest request = new KileTgsRequest(context);
request.Request.msg_type = new Asn1Integer((int)MsgType.KRB_TGS_REQ);
request.Request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
#region construct req_body
request.Request.req_body = new KDC_REQ_BODY();
request.Request.req_body.kdc_options = new KDCOptions(KileUtility.ConvertInt2Flags((int)kdcOptions));
request.Request.req_body.nonce = nonce;
request.Request.req_body.till = new KerberosTime(ConstValue.TGT_TILL_TIME);
request.Request.req_body.etype = context.ClientEncryptionTypes;
request.Request.req_body.realm = realm;
if (additionalTicket != null)
{
request.Request.req_body.additional_tickets = new Asn1SequenceOf <Ticket>(new Ticket[] { additionalTicket });
}
request.Request.req_body.sname = sName;
request.EncAuthorizationData = authorizationData;
if (authorizationData != null)
{
Asn1BerEncodingBuffer asnBuffer = new Asn1BerEncodingBuffer();
authorizationData.BerEncode(asnBuffer, true);
request.Request.req_body.enc_authorization_data = new EncryptedData();
request.Request.req_body.enc_authorization_data.etype = new KerbInt32(0);
byte[] encAsnEncoded = asnBuffer.Data;
if (context.TgsSessionKey != null && context.TgsSessionKey.keytype != null &&
context.TgsSessionKey.keyvalue != null && context.TgsSessionKey.keyvalue.Value != null)
{
encAsnEncoded = KileUtility.Encrypt((EncryptionType)context.TgsSessionKey.keytype.Value,
context.TgsSessionKey.keyvalue.ByteArrayValue,
asnBuffer.Data,
(int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData);
request.Request.req_body.enc_authorization_data.etype =
new KerbInt32(context.TgsSessionKey.keytype.Value);
}
request.Request.req_body.enc_authorization_data.cipher = new Asn1OctetString(encAsnEncoded);
}
#endregion construct req_body
#region construct PA_DATA
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
request.Request.req_body.BerEncode(bodyBuffer);
PA_DATA tgsPaData = ConstructTgsPaData(cRealm, cName, checksumType, bodyBuffer.Data);
request.Request.padata = new Asn1SequenceOf <PA_DATA>();
if (paData == null || paData.Elements == null || paData.Elements.Length == 0)
{
request.Request.padata.Elements = new PA_DATA[] { tgsPaData };
}
else
{
request.Request.padata.Elements = new PA_DATA[paData.Elements.Length + 1];
Array.Copy(paData.Elements, request.Request.padata.Elements, paData.Elements.Length);
request.Request.padata.Elements[paData.Elements.Length] = tgsPaData;
}
#endregion construct PA_DATA
return(request);
}