public PrivilegedAttributeCertificate(KrbAuthorizationData authz, SignatureMode mode = SignatureMode.Kdc)
: base(authz?.Type ?? 0, AuthorizationDataType.AdWin2kPac)
{
var pac = authz.Data;
this.pacData = new byte[pac.Length];
this.Mode = mode;
pac.CopyTo(this.pacData);
using (var stream = new NdrBuffer(pac, align: false))
{
var count = stream.ReadInt32LittleEndian();
this.Version = stream.ReadInt32LittleEndian();
if (this.Version != PAC_VERSION)
{
throw new InvalidDataException($"Unknown PAC Version {this.Version}");
}
var errors = new List <PacDecodeError>();
for (var i = 0; i < count; i++)
{
var type = (PacType)stream.ReadInt32LittleEndian();
var size = stream.ReadInt32LittleEndian();
var offset = stream.ReadInt64LittleEndian();
var pacInfoBuffer = pac.Slice((int)offset, size);
int exclusionStart;
int exclusionLength;
try
{
this.ParsePacType(type, pacInfoBuffer, out exclusionStart, out exclusionLength);
}
catch (Exception ex)
{
errors.Add(new PacDecodeError()
{
Type = type,
Data = pacInfoBuffer,
Exception = ex
});
throw;
}
if (exclusionStart > 0 && exclusionLength > 0)
{
this.pacData.Span.Slice((int)offset + exclusionStart, exclusionLength).Clear();
}
}
this.DecodingErrors = errors;
}
}
internal static void Decode <T>(AsnReader reader, out T decoded)
where T : KrbAuthorizationDataSequence, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
Asn1Tag tag = reader.PeekTag();
AsnReader collectionReader;
if (tag.HasSameClassAndValue(Asn1Tag.Sequence))
{
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = reader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
}
else
{
throw new CryptographicException();
}
}
public PrivilegedAttributeCertificate(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.AdWin2kPac)
{
var pac = authz.Data;
pacData = MemoryMarshal.AsMemory(pac);
var stream = new NdrBuffer(pac, align: false);
var count = stream.ReadInt32LittleEndian();
Version = stream.ReadInt32LittleEndian();
if (Version != PAC_VERSION)
{
throw new InvalidDataException($"Unknown PAC Version {Version}");
}
var errors = new List <PacDecodeError>();
for (var i = 0; i < count; i++)
{
var type = (PacType)stream.ReadInt32LittleEndian();
var size = stream.ReadInt32LittleEndian();
var offset = stream.ReadInt64LittleEndian();
var pacInfoBuffer = pac.Slice((int)offset, size);
int exclusionStart;
int exclusionLength;
try
{
ParsePacType(type, pacInfoBuffer, out exclusionStart, out exclusionLength);
}
catch (Exception ex)
{
errors.Add(new PacDecodeError()
{
Type = type,
Data = pacInfoBuffer,
Exception = ex
});
throw;
}
if (exclusionStart > 0 && exclusionLength > 0)
{
pacData.Span.Slice((int)offset + exclusionStart, exclusionLength).Fill(0);
}
}
DecodingErrors = errors;
}
public PrivilegedAttributeCertificate(KrbAuthorizationData authz)
: base(authz.Type, AuthorizationDataType.AdWin2kPac)
{
var pac = authz.Data;
Stream = new NdrBinaryStream(pac);
pacData = MemoryMarshal.AsMemory(authz.Data);
var count = Stream.ReadInt();
var version = Stream.ReadInt();
if (version != PAC_VERSION)
{
throw new InvalidDataException($"Unknown PAC Version {version}");
}
var errors = new List <PacDecodeError>();
for (var i = 0; i < count; i++)
{
var type = (PacType)Stream.ReadInt();
var size = Stream.ReadInt();
var offset = Stream.ReadLong();
var pacInfoBuffer = pac.Slice((int)offset, size);
int exclusionStart = 0;
int exclusionLength = 0;
try
{
ParsePacType(type, pacInfoBuffer, out exclusionStart, out exclusionLength);
}
catch (Exception ex)
{
errors.Add(new PacDecodeError()
{
Type = type,
Data = pacInfoBuffer,
Exception = ex
});
}
if (exclusionStart > 0 && exclusionLength > 0)
{
pacData.Span.Slice((int)offset + exclusionStart, exclusionLength).Fill(0);
}
}
DecodingErrors = errors;
HasRequiredFields = ServerSignature != null && KdcSignature != null;
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbEncTicketPart, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (explicitReader.TryReadPrimitiveBitStringValue(out _, out ReadOnlyMemory <byte> tmpFlags))
{
decoded.Flags = (TicketFlags)tmpFlags.AsLong();
}
else
{
decoded.Flags = (TicketFlags)explicitReader.ReadBitString(out _).AsLong();
}
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out decoded.Key);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.CName);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
KrbTransitedEncoding.Decode <KrbTransitedEncoding>(explicitReader, out decoded.Transited);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.AuthTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
decoded.StartTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
decoded.EndTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
decoded.RenewTill = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 9)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 9));
// Decode SEQUENCE OF for CAddr
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbHostAddress>();
KrbHostAddress tmpItem;
while (collectionReader.HasData)
{
KrbHostAddress.Decode <KrbHostAddress>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.CAddr = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 10)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 10));
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbAuthenticator, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out int tmpAuthenticatorVersionNumber))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.AuthenticatorVersionNumber = tmpAuthenticatorVersionNumber;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum);
decoded.Checksum = tmpChecksum;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
if (!explicitReader.TryReadInt32(out int tmpCuSec))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.CuSec = tmpCuSec;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.CTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out KrbEncryptionKey tmpSubkey);
decoded.Subkey = tmpSubkey;
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 7)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
if (explicitReader.TryReadInt32(out int tmpSequenceNumber))
{
decoded.SequenceNumber = tmpSequenceNumber;
}
else
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out KrbAuthorizationData tmp);
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}