public bool Authen(string uid)
{
// 用户发送TGS请求的条件 :
// 【TGTicket存在】
if (!string.IsNullOrEmpty(uid))
{
this.kerbTgsReq = CreateKerbTGSReq(uid);
this.kerbApReq = CreateKerbApReq();
if (VisitApp()) //访问
{
return true;
}
}
return false;
}
/*
*
* TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密
*
* TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效;
* 有效的话,则直接产生STicket
* **/
public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse)
{
// out型参数可以不被初始化
string session_key_1 = kerbTgsRequest.session_key_1;
string encryptUid = kerbTgsRequest.encryptUid;
//TGTicket tgticket = kerbTgsRequest.tgticket;
string encrptTgsTicket = kerbTgsRequest.encyptgsTicket;
string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv);
string[] ticketArray = tgticket.Split('|');
string uid = ticketArray[0];
DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
double lifetime2 = Convert.ToDouble(ticketArray[2]);
TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2);
string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv);
string errorInfo = string.Empty;
if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid)))
{
errorInfo = "TGS票据被修改,uid的值已经被改变";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse);
}
else if (IsTGTExpired(tgtTicket))
{
errorInfo = "TGS票据过期";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求
}
else
{
// 下面就是TGS服务器向Client发送的 uid与STicket中的uid是一样的
STicket sticket = new STicket(uid);
string key1 = KeyType.Client_AP_Key; //Client与AP应用服务之间的会话密钥
string iv = KeyType.Iv; // Or "********"
string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4));
string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4));
string strBuilder3 = string.Concat(strBuilder2, "|", uid);
string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1));
string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv); //加密过后的STicket
// 下面实现一个时间戳验证
//DateTime ts4_1 = DateTime.Now;
//string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv);
// 主要是确保随机密钥的安全性:下面就是数字签名的流程
key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv);
//string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1);
string hashData = "";
rsaCrpt.GetHash(key1, ref hashData);
string rsasign = ""; //key1text的数字签名
rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign);
string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid); // AS向Client发回的响应
//kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign);
tgsvalid = true;
kerbTgsResponse = kerbTgsResp;
}
}
//产生KerbTGSRequest请求
/**
还有一种解决对象和字符串的方法就是:
* 直接将对象转换成JSON类型 或者直接用:对象的序列化
*
*/
public KerbTGSRequest CreateKerbTGSReq(string ADMIN_UID)
{
this.Uid = ADMIN_UID; //这里进行初始化
string[] strArray0 = kerbAsResponse.Split(',');
string rsasign = strArray0[1];
//string decryptKerbAsResp = desCryp.Decrypt(kerbAsResponse, KeyType.AS_Client_Key, KeyType.Iv); //没有添加数字签名前的解密操作
string decryptKerbAsResp = desCryp.Decrypt(strArray0[0], KeyType.AS_Client_Key, KeyType.Iv);
string[] strArray = decryptKerbAsResp.Split('|');
string encrypttgTicket = "";
string session_key_1 = "";
string uid = "";
encrypttgTicket = strArray[0];
session_key_1 = strArray[1];
uid = strArray[2];
// 数字签名认证的流程:
//string strhash = rsaCryp.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), session_key_1); //这个与ASServer中产生的key1text不一样
string hashdata = "";
rsaCryp.GetHash(session_key_1, ref hashdata);
if (rsaCryp.SignatureDeformatter(HttpUtility.HtmlDecode(publicKey), hashdata, rsasign))
{
// 在Client端不能对TGTicket进行解密处理。
//string tgticket = desCryp.Decrypt(encrypttgTicket, KeyType.AS_TGS_Key, KeyType.Iv);
//string[] ticketArray = tgticket.Split('|');
//string uid = ticketArray[0];
//DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
//double lifetime2 = Convert.ToDouble(ticketArray[2]);
//this.tgTicket = new TGTicket(uid,ts2,lifetime2);
//string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv);
//this.kerbTgsReq = new KerbTGSRequest(this.tgTicket,session_key_1,encryptUid);
string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv);
this.kerbTgsReq = new KerbTGSRequest(encrypttgTicket, session_key_1, encryptUid);
return this.kerbTgsReq;
}
else //表示Session_key_1被修改 ,做的只有重新生成密钥。
{
errorInfo = "随机密钥发生变化,请重新生成随机密钥。"; //保证密钥的安全性
this.kerbAsResponse = asServer.CreateKerbAsResp(this.Uid, out this.tgTicket); // kerbAsResponse发生变化
this.kerbTgsReq = CreateKerbTGSReq(ADMIN_UID);
return this.kerbTgsReq;
}
}
