private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage)
{
var dataLength = 0;
dataLength += 4;
foreach (var name in userName.Name)
{
dataLength += name.Length;
}
dataLength += userRealm.Length;
dataLength += authPackage.Length;
var checksumData = new Memory <byte>(new byte[dataLength]);
Endian.ConvertToLittleEndian((int)userName.Type, checksumData);
var position = 4;
for (var i = 0; i < userName.Name.Length; i++)
{
Concat(checksumData, ref position, ref userName.Name[i]);
}
Concat(checksumData, ref position, ref userRealm);
Concat(checksumData, ref position, ref authPackage);
return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType));
}
public static KrbApReq CreateApReq(
KrbKdcRep tgsRep,
KerberosKey authenticatorKey,
ApOptions options,
out KrbAuthenticator authenticator
)
{
var ticket = tgsRep.Ticket;
authenticator = new KrbAuthenticator
{
CName = tgsRep.CName,
Realm = ticket.Realm,
SequenceNumber = KerberosConstants.GetNonce(),
Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType),
Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo())
};
KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec);
var apReq = new KrbApReq
{
Ticket = ticket,
ApOptions = options,
Authenticator = KrbEncryptedData.Encrypt(
authenticator.EncodeApplication(),
authenticatorKey,
KeyUsage.ApReqAuthenticator
)
};
return(apReq);
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbPaForUser, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.UserName);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.UserRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out decoded.Checksum);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
decoded.AuthPackage = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
public void GenerateChecksum(KerberosKey key)
{
var dataLength = 0;
dataLength += 4;
foreach (var name in UserName.Name)
{
dataLength += name.Length;
}
dataLength += UserRealm.Length;
dataLength += AuthPackage.Length;
var checksumData = new Memory <byte>(new byte[dataLength]);
Endian.ConvertToLittleEndian((int)UserName.Type, checksumData);
var position = 4;
for (var i = 0; i < UserName.Name.Length; i++)
{
Concat(checksumData, ref position, ref UserName.Name[i]);
}
Concat(checksumData, ref position, ref UserRealm);
Concat(checksumData, ref position, ref AuthPackage);
Checksum = KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType);
}
private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage)
{
var dataLength = 0;
dataLength += 4;
foreach (var name in userName.Name)
{
dataLength += name.Length;
}
dataLength += userRealm.Length;
dataLength += authPackage.Length;
var checksumData = new Memory <byte>(new byte[dataLength]);
BinaryPrimitives.WriteInt32LittleEndian(checksumData.Span, (int)userName.Type);
var position = 4;
for (var i = 0; i < userName.Name.Length; i++)
{
Concat(checksumData, userName.Name[i], ref position);
}
Concat(checksumData, userRealm, ref position);
Concat(checksumData, authPackage, ref position);
return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType));
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbPaS4uX509User, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
KrbS4uUserId.Decode <KrbS4uUserId>(explicitReader, out KrbS4uUserId tmpUserId);
decoded.UserId = tmpUserId;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum);
decoded.Checksum = tmpChecksum;
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbFastFinished, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
decoded.Timestamp = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
if (!explicitReader.TryReadInt32(out int tmpUSec))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.USec = tmpUSec;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpTicketChecksum);
decoded.TicketChecksum = tmpTicketChecksum;
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
public static KrbApReq CreateApReq(
KrbKdcRep tgsRep,
KerberosKey authenticatorKey,
RequestServiceTicket rst,
out KrbAuthenticator authenticator
)
{
if (tgsRep == null)
{
throw new ArgumentNullException(nameof(tgsRep));
}
if (authenticatorKey == null)
{
throw new ArgumentNullException(nameof(authenticatorKey));
}
var ticket = tgsRep.Ticket;
authenticator = new KrbAuthenticator
{
CName = tgsRep.CName,
Realm = ticket.Realm,
SequenceNumber = KerberosConstants.GetNonce(),
Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType),
Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst))
};
KerberosConstants.Now(out DateTimeOffset ctime, out int usec);
authenticator.CTime = ctime;
authenticator.CuSec = usec;
var apReq = new KrbApReq
{
Ticket = ticket,
ApOptions = rst.ApOptions,
Authenticator = KrbEncryptedData.Encrypt(
authenticator.EncodeApplication(),
authenticatorKey,
KeyUsage.ApReqAuthenticator
)
};
return(apReq);
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbFastArmoredReq, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 0)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
KrbFastArmor.Decode <KrbFastArmor>(explicitReader, out KrbFastArmor tmpArmor);
decoded.Armor = tmpArmor;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpRequestChecksum);
decoded.RequestChecksum = tmpRequestChecksum;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbEncryptedData.Decode <KrbEncryptedData>(explicitReader, out KrbEncryptedData tmpEncryptedFastRequest);
decoded.EncryptedFastRequest = tmpEncryptedFastRequest;
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
private static ReadOnlyMemory <byte> EncodeS4URequest(string s4u, X509Certificate2 certificate, int nonce, string realm, KrbEncryptionKey sessionKey)
{
var userId = new KrbS4uUserId()
{
CName = new KrbPrincipalName {
Type = PrincipalNameType.NT_ENTERPRISE, Name = new[] { s4u }
},
Nonce = nonce,
Realm = realm
};
if (certificate != null)
{
userId.SubjectCertificate = certificate.RawData;
}
var paX509 = new KrbPaS4uX509User
{
UserId = userId,
Checksum = KrbChecksum.Create(userId.Encode(), sessionKey.AsKey(), (KeyUsage)26)
};
return(paX509.Encode());
}
public static KrbTgsReq CreateTgsReq(
RequestServiceTicket rst,
KrbEncryptionKey tgtSessionKey,
KrbKdcRep kdcRep,
out KrbEncryptionKey sessionKey
)
{
var sname = rst.ServicePrincipalName.Split('/', '@');
var tgt = kdcRep.Ticket;
var additionalTickets = new List <KrbTicket>();
if (rst.KdcOptions.HasFlag(KdcOptions.EncTktInSkey) && rst.UserToUserTicket != null)
{
additionalTickets.Add(rst.UserToUserTicket);
}
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
rst.KdcOptions |= KdcOptions.Forwardable;
}
if (rst.S4uTicket != null)
{
rst.KdcOptions |= KdcOptions.ConstrainedDelegation;
additionalTickets.Add(rst.S4uTicket);
}
var body = new KrbKdcReqBody
{
EType = KerberosConstants.ETypes.ToArray(),
KdcOptions = rst.KdcOptions,
Nonce = KerberosConstants.GetNonce(),
Realm = rst.Realm,
SName = new KrbPrincipalName()
{
Type = PrincipalNameType.NT_SRV_INST,
Name = sname
},
Till = KerberosConstants.EndOfTime,
CName = rst.CNameHint
};
if (additionalTickets.Count > 0)
{
body.AdditionalTickets = additionalTickets.ToArray();
}
var bodyChecksum = KrbChecksum.Create(
body.Encode(),
tgtSessionKey.AsKey(),
KeyUsage.PaTgsReqChecksum
);
var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey);
var pacOptions = new KrbPaPacOptions
{
Flags = PacOptions.ResourceBasedConstrainedDelegation | PacOptions.Claims | PacOptions.BranchAware
}.Encode();
var paData = new List <KrbPaData>()
{
new KrbPaData {
Type = PaDataType.PA_TGS_REQ,
Value = tgtApReq.EncodeApplication()
},
new KrbPaData {
Type = PaDataType.PA_PAC_OPTIONS,
Value = pacOptions
}
};
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
paData.Add(new KrbPaData
{
Type = PaDataType.PA_FOR_USER,
Value = EncodeS4URequest(rst.S4uTarget, tgt.Realm, tgtSessionKey)
});
}
var tgs = new KrbTgsReq
{
PaData = paData.ToArray(),
Body = body
};
return(tgs);
}
private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey, KrbChecksum checksum, out KrbEncryptionKey sessionKey)
{
var tgt = kdcRep.Ticket;
var authenticator = new KrbAuthenticator
{
CName = kdcRep.CName,
Realm = kdcRep.CRealm,
SequenceNumber = KerberosConstants.GetNonce(),
Checksum = checksum
};
sessionKey = KrbEncryptionKey.Generate(tgtSessionKey.EType);
sessionKey.Usage = KeyUsage.EncTgsRepPartSubSessionKey;
authenticator.Subkey = sessionKey;
KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec);
var encryptedAuthenticator = KrbEncryptedData.Encrypt(
authenticator.EncodeApplication(),
tgtSessionKey.AsKey(),
KeyUsage.PaTgsReqAuthenticator
);
var apReq = new KrbApReq
{
Ticket = tgt,
Authenticator = encryptedAuthenticator
};
return(apReq);
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbAuthenticator, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out int tmpAuthenticatorVersionNumber))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.AuthenticatorVersionNumber = tmpAuthenticatorVersionNumber;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum);
decoded.Checksum = tmpChecksum;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
if (!explicitReader.TryReadInt32(out int tmpCuSec))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.CuSec = tmpCuSec;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.CTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out KrbEncryptionKey tmpSubkey);
decoded.Subkey = tmpSubkey;
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 7)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
if (explicitReader.TryReadInt32(out int tmpSequenceNumber))
{
decoded.SequenceNumber = tmpSequenceNumber;
}
else
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out KrbAuthorizationData tmp);
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
public static KrbApReq CreateApReq(
KrbKdcRep tgsRep,
KerberosKey authenticatorKey,
RequestServiceTicket rst,
out KrbAuthenticator authenticator
)
{
if (tgsRep == null)
{
throw new ArgumentNullException(nameof(tgsRep));
}
if (authenticatorKey == null)
{
throw new ArgumentNullException(nameof(authenticatorKey));
}
authenticator = new KrbAuthenticator
{
CName = tgsRep.CName,
Realm = tgsRep.CRealm
};
if (rst.AuthenticatorChecksum != null)
{
authenticator.Checksum = rst.AuthenticatorChecksum;
}
else if (!rst.AuthenticatorChecksumSource.IsEmpty)
{
authenticator.Checksum = KrbChecksum.Create(
rst.AuthenticatorChecksumSource,
authenticatorKey,
KeyUsage.AuthenticatorChecksum
);
}
else if (rst.GssContextFlags != GssContextEstablishmentFlag.GSS_C_NONE)
{
authenticator.Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst));
}
if (rst.IncludeSequenceNumber ?? true)
{
authenticator.SequenceNumber = GetNonce();
}
if (rst.ApOptions.HasFlag(ApOptions.MutualRequired))
{
authenticator.Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType);
}
Now(out DateTimeOffset ctime, out int usec);
authenticator.CTime = ctime;
authenticator.CuSec = usec;
var apReq = new KrbApReq
{
Ticket = tgsRep.Ticket,
ApOptions = rst.ApOptions,
Authenticator = KrbEncryptedData.Encrypt(
authenticator.EncodeApplication(),
authenticatorKey,
KeyUsage.ApReqAuthenticator
)
};
return(apReq);
}
public static KrbTgsReq CreateTgsReq(
RequestServiceTicket rst,
KrbEncryptionKey tgtSessionKey,
KrbKdcRep kdcRep,
out KrbEncryptionKey sessionKey
)
{
if (kdcRep == null)
{
throw new ArgumentNullException(nameof(kdcRep));
}
if (tgtSessionKey == null)
{
throw new ArgumentNullException(nameof(tgtSessionKey));
}
if (string.IsNullOrWhiteSpace(rst.ServicePrincipalName))
{
throw new ArgumentNullException(nameof(rst.ServicePrincipalName));
}
var sname = rst.ServicePrincipalName.Split('/', '@');
var tgt = kdcRep.Ticket;
var additionalTickets = new List <KrbTicket>();
if (rst.KdcOptions.HasFlag(KdcOptions.EncTktInSkey) && rst.UserToUserTicket != null)
{
additionalTickets.Add(rst.UserToUserTicket);
}
if (!string.IsNullOrWhiteSpace(rst.S4uTarget) && rst.S4uTicket != null)
{
throw new InvalidOperationException(SR.Resource("S4uTargetTicketBothPresent"));
}
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
rst.KdcOptions |= KdcOptions.Forwardable;
}
if (rst.S4uTicket != null)
{
rst.KdcOptions |= KdcOptions.ConstrainedDelegation;
additionalTickets.Add(rst.S4uTicket);
}
var config = rst.Configuration ?? Krb5Config.Default();
var body = new KrbKdcReqBody
{
EType = GetPreferredETypes(config.Defaults.DefaultTgsEncTypes, config.Defaults.AllowWeakCrypto).ToArray(),
KdcOptions = rst.KdcOptions,
Nonce = GetNonce(),
Realm = rst.Realm,
SName = new KrbPrincipalName()
{
Type = PrincipalNameType.NT_SRV_INST,
Name = sname
},
Till = EndOfTime,
CName = rst.CNameHint
};
if (additionalTickets.Count > 0)
{
body.AdditionalTickets = additionalTickets.ToArray();
}
var bodyChecksum = KrbChecksum.Create(
body.Encode(),
tgtSessionKey.AsKey(),
KeyUsage.PaTgsReqChecksum
);
var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey);
var pacOptions = new KrbPaPacOptions
{
Flags = PacOptions.ResourceBasedConstrainedDelegation | PacOptions.Claims | PacOptions.BranchAware
}.Encode();
var paData = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_TGS_REQ,
Value = tgtApReq.EncodeApplication()
},
new KrbPaData
{
Type = PaDataType.PA_PAC_OPTIONS,
Value = pacOptions
}
};
if (!string.IsNullOrWhiteSpace(rst.S4uTarget))
{
if (tgtSessionKey.EType == EncryptionType.RC4_HMAC_NT)
{
paData.Add(new KrbPaData
{
Type = PaDataType.PA_FOR_USER,
Value = EncodeS4ULegacyRequest(rst.S4uTarget, tgt.Realm, tgtSessionKey)
});
}
else
{
paData.Add(new KrbPaData
{
Type = PaDataType.PA_FOR_X509_USER,
Value = EncodeS4URequest(rst.S4uTarget, rst.S4uTargetCertificate, body.Nonce, tgt.Realm, sessionKey)
});
}
}
var tgs = new KrbTgsReq
{
PaData = paData.ToArray(),
Body = body
};
return(tgs);
}
