Beispiel #1
0
        public bool Authen(string uid)
        {
            // 用户发送TGS请求的条件 :
            // 【TGTicket存在】
            if (!string.IsNullOrEmpty(uid))
            {
                this.kerbTgsReq = CreateKerbTGSReq(uid);

                this.kerbApReq = CreateKerbApReq();
                if (VisitApp())  //访问
                {
                    return true;
                }
            }
            return false;
        }
Beispiel #2
0
        /*
         *
         * TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密
         *
         * TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效;
         * 有效的话,则直接产生STicket
         * **/
        public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse)
        {
            // out型参数可以不被初始化
            string session_key_1 = kerbTgsRequest.session_key_1;
            string encryptUid = kerbTgsRequest.encryptUid;
            //TGTicket tgticket = kerbTgsRequest.tgticket;
            string encrptTgsTicket = kerbTgsRequest.encyptgsTicket;

            string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv);
            string[] ticketArray = tgticket.Split('|');
            string uid = ticketArray[0];
            DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
            double lifetime2 = Convert.ToDouble(ticketArray[2]);

            TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2);

            string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv);

            string errorInfo = string.Empty;
            if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid)))
            {
                errorInfo = "TGS票据被修改,uid的值已经被改变";
                tgsvalid = false;
                kerbTgsResponse = "";
                HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse);
            }
            else if (IsTGTExpired(tgtTicket))
            {
                errorInfo = "TGS票据过期";
                tgsvalid = false;
                kerbTgsResponse = "";
                HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求
            }
            else
            {
                // 下面就是TGS服务器向Client发送的  uid与STicket中的uid是一样的
                STicket sticket = new STicket(uid);
                string key1 = KeyType.Client_AP_Key;  //Client与AP应用服务之间的会话密钥
                string iv = KeyType.Iv;  // Or "********"
                string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4));
                string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4));
                string strBuilder3 = string.Concat(strBuilder2, "|", uid);
                string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1));

                string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv);  //加密过后的STicket
                // 下面实现一个时间戳验证
                //DateTime ts4_1 = DateTime.Now;
                //string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv);

                // 主要是确保随机密钥的安全性:下面就是数字签名的流程
                key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv);
                //string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1);
                string hashData = "";
                rsaCrpt.GetHash(key1, ref hashData);
                string rsasign = "";  //key1text的数字签名
                rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign);

                string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid);  // AS向Client发回的响应
                //kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign);
                tgsvalid = true;
                kerbTgsResponse = kerbTgsResp;

            }
        }
Beispiel #3
0
        //产生KerbTGSRequest请求
        /**
           还有一种解决对象和字符串的方法就是:
         * 直接将对象转换成JSON类型  或者直接用:对象的序列化
         *
         */
        public KerbTGSRequest CreateKerbTGSReq(string ADMIN_UID)
        {
            this.Uid = ADMIN_UID; //这里进行初始化

            string[] strArray0 = kerbAsResponse.Split(',');
            string rsasign = strArray0[1];
            //string decryptKerbAsResp = desCryp.Decrypt(kerbAsResponse, KeyType.AS_Client_Key, KeyType.Iv);  //没有添加数字签名前的解密操作
            string decryptKerbAsResp = desCryp.Decrypt(strArray0[0], KeyType.AS_Client_Key, KeyType.Iv);

            string[] strArray = decryptKerbAsResp.Split('|');
            string encrypttgTicket = "";
            string session_key_1 = "";
            string uid = "";
            encrypttgTicket = strArray[0];
            session_key_1 = strArray[1];
            uid = strArray[2];

            // 数字签名认证的流程:
            //string strhash = rsaCryp.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), session_key_1); //这个与ASServer中产生的key1text不一样
            string hashdata = "";
            rsaCryp.GetHash(session_key_1, ref hashdata);
            if (rsaCryp.SignatureDeformatter(HttpUtility.HtmlDecode(publicKey), hashdata, rsasign))
            {

                // 在Client端不能对TGTicket进行解密处理。
                //string tgticket = desCryp.Decrypt(encrypttgTicket, KeyType.AS_TGS_Key, KeyType.Iv);
                //string[] ticketArray = tgticket.Split('|');
                //string uid = ticketArray[0];
                //DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
                //double lifetime2 = Convert.ToDouble(ticketArray[2]);

                //this.tgTicket = new TGTicket(uid,ts2,lifetime2);
                //string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv);
                //this.kerbTgsReq = new KerbTGSRequest(this.tgTicket,session_key_1,encryptUid);

                string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv);
                this.kerbTgsReq = new KerbTGSRequest(encrypttgTicket, session_key_1, encryptUid);
                return this.kerbTgsReq;
            }

            else  //表示Session_key_1被修改 ,做的只有重新生成密钥。
            {
                errorInfo = "随机密钥发生变化,请重新生成随机密钥。";  //保证密钥的安全性
                this.kerbAsResponse = asServer.CreateKerbAsResp(this.Uid, out this.tgTicket);  // kerbAsResponse发生变化
                this.kerbTgsReq = CreateKerbTGSReq(ADMIN_UID);
                return this.kerbTgsReq;
            }
        }