public EncTicketPart(
     TicketFlags param0,
     EncryptionKey param1,
     Realm param2,
     PrincipalName param3,
     TransitedEncoding param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     HostAddresses param9,
     AuthorizationData param10)
 {
     this.flags = param0;
     this.key = param1;
     this.crealm = param2;
     this.cname = param3;
     this.transited = param4;
     this.authtime = param5;
     this.starttime = param6;
     this.endtime = param7;
     this.renew_till = param8;
     this.caddr = param9;
     this.authorization_data = param10;
 }
        /// <summary>
        /// Construct a Kerberos test client for FAST
        /// </summary>
        /// <param name="domain">The realm part of the client's principal identifier.
        /// This argument cannot be null.</param>
        /// <param name="cName">The account to logon the remote machine. Either user account or computer account
        /// This argument cannot be null.</param>
        /// <param name="password">The password of the user. This argument cannot be null.</param>
        /// <param name="accountType">The type of the logon account. User or Computer</param>
        public KerberosFunctionalClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt omiPkt, ITestSite baseTestSite)
            : base(domain, cName, password, accountType, armorTicket, armorSessionKey, kdcAddress, kdcPort, transportType, omiPkt)
        {
            testSite = baseTestSite;
            if (accountType == KerberosAccountType.Device)
            {
                testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using computer account: {0}@{1}.",
                                    cName, domain);
            }
            else
            {
                testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using user account: {0}@{1}.",
                                    cName, domain);
            }
            EncryptionType[] encryptionTypes = new EncryptionType[]
            {
                EncryptionType.AES256_CTS_HMAC_SHA1_96,
                EncryptionType.AES128_CTS_HMAC_SHA1_96,
                EncryptionType.RC4_HMAC,
                EncryptionType.RC4_HMAC_EXP,
                EncryptionType.DES_CBC_CRC,
                EncryptionType.DES_CBC_MD5
            };

            KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
            for (int i = 0; i < encryptionTypes.Length; i++)
            {
                etypes[i] = new KerbInt32((int)encryptionTypes[i]);
            }
            Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);

            Context.SupportedEType = etype;

            Context.Pvno = KerberosConstValue.KERBEROSV5;
        }
 public EncASRepPart(
     EncryptionKey param0,
     LastReq param1,
     KerbUInt32 param2,
     KerberosTime param3,
     TicketFlags param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     Realm param9,
     PrincipalName param10,
     HostAddresses param11,
     Asn1SequenceOf<PA_DATA> param12)
 {
     this.key = param0;
     this.last_req = param1;
     this.nonce = param2;
     this.key_expiration = param3;
     this.flags = param4;
     this.authtime = param5;
     this.starttime = param6;
     this.endtime = param7;
     this.renew_till = param8;
     this.srealm = param9;
     this.sname = param10;
     this.caddr = param11;
     this.pa_datas = param12;
 }
 public KrbCredInfo(
     EncryptionKey param0,
     Realm param1,
     PrincipalName param2,
     TicketFlags param3,
     KerberosTime param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     Realm param8,
     PrincipalName param9,
     HostAddresses param10)
 {
     this.key = param0;
     this.prealm = param1;
     this.pname = param2;
     this.flags = param3;
     this.authtime = param4;
     this.starttime = param5;
     this.endtime = param6;
     this.renew_till = param7;
     this.srealm = param8;
     this.sname = param9;
     this.caddr = param10;
 }
 /// <summary>
 /// Create context
 /// </summary>
 /// <param name="domain">Domain name</param>
 /// <param name="cName">Principal name</param>
 /// <param name="password">Password of principal</param>
 /// <param name="accountType">Accoundtype, user or device</param>
 /// <param name="armorTicket">Computer TGT as armor ticket</param>
 /// <param name="armorSessionKey">Computer TGS session key as armor session key</param>
 public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt, KerberosTicket armorTicket, EncryptionKey armorSessionKey)
     : this(domain, cName, password, accountType, salt)
 {
     this.ArmorTicket = armorTicket;
     this.ArmorSessionKey = armorSessionKey;
     this.SelectedEType = (EncryptionType)this.ArmorTicket.SessionKey.keytype.Value;
 }
 /// <summary>
 /// Create a KileClient instance.
 /// </summary>
 /// <param name="domain">The realm part of the client's principal identifier.
 /// This argument cannot be null.</param>
 /// <param name="cName">The account to logon the remote machine. Either user account or computer account
 /// This argument cannot be null.</param>
 /// <param name="password">The password of the user. This argument cannot be null.</param>
 /// <param name="accountType">The type of the logon account. User or Computer</param>
 /// <param name="kdcAddress">The IP address of the KDC.</param>
 /// <param name="kdcPort">The port of the KDC.</param>
 /// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
 /// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
 public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
 {
     TransportBufferSize = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
     this.Context = new KerberosContext(domain, cName, password, accountType, salt, armorTicket, armorSessionKey);
     this.kdcAddress = kdcAddress;
     this.kdcPort = kdcPort;
     this.transportType = transportType;
     this.oidPkt = oidPkt;
     this.Context.TransportType = transportType;
 }
 public KrbFastResponse(
     Asn1SequenceOf<PA_DATA> param0,
     EncryptionKey param1,
     KrbFastFinished param2,
     KerbUInt32 param3)
 {
     this.padata = param0;
     this.strengthen_key = param1;
     this.finished = param2;
     this.nonce = param3;
 }
 public EncAPRepPart(
     KerberosTime param0,
     Microseconds param1,
     EncryptionKey param2,
     KerbUInt32 param3)
 {
     this.ctime = param0;
     this.cusec = param1;
     this.subkey = param2;
     this.seq_number = param3;
 }
 public Authenticator(
     Asn1Integer param0,
     Realm param1,
     PrincipalName param2,
     Checksum param3,
     Microseconds param4,
     KerberosTime param5,
     EncryptionKey param6,
     KerbUInt32 param7,
     AuthorizationData param8)
 {
     this.authenticator_vno = param0;
     this.crealm = param1;
     this.cname = param2;
     this.cksum = param3;
     this.cusec = param4;
     this.ctime = param5;
     this.subkey = param6;
     this.seq_number = param7;
     this.authorization_data = param8;
 }
        /// <summary>
        /// Decrypt the KRB-PRIV
        /// </summary>
        /// <param name="subkey">the subkey used to decrypt</param>
        public void DecryptKrbPriv(EncryptionKey subkey)
        {
            byte[] priv = KerberosUtility.Decrypt(
                      (EncryptionType)subkey.keytype.Value,
                      subkey.keyvalue.ByteArrayValue,
                      krb_priv.enc_part.cipher.ByteArrayValue,
                      (int)KeyUsageNumber.KRB_PRIV_EncPart);

            Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(priv);
            priv_enc_part.BerDecode(decodeBuffer);
        }
        private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subKey, ChecksumType checksumType, byte[] checksumBody)
        {
            Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subKey);

            byte[] checkData = KerberosUtility.GetChecksum(ticket.SessionKey.keyvalue.ByteArrayValue, checksumBody, (int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum, checksumType);
            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));

            return(plaintextAuthenticator);
        }
 private Authenticator CreateAuthenticator(
     KerberosTicket ticket,
     AuthorizationData data,
     EncryptionKey subkey
     )
 {
     Authenticator plaintextAuthenticator = new Authenticator();
     plaintextAuthenticator.authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5);
     plaintextAuthenticator.crealm = Context.CName.Realm;
     plaintextAuthenticator.cusec = new Microseconds(0);
     plaintextAuthenticator.ctime = KerberosUtility.CurrentKerberosTime;
     plaintextAuthenticator.seq_number = new KerbUInt32(0);
     plaintextAuthenticator.cname = ticket.TicketOwner;
     plaintextAuthenticator.subkey = subkey;
     plaintextAuthenticator.authorization_data = data;
     return plaintextAuthenticator;
 }
Ejemplo n.º 13
0
 /// <summary>
 /// Create a Kerberos ticket
 /// </summary>
 /// <param name="ticket">Ticket</param>
 /// <param name="ticketOwner">Owner of ticket</param>
 /// <param name="sessionKey">Session key in ticket</param>
 public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
 {
     this.Ticket      = ticket;
     this.TicketOwner = ticketOwner;
     this.SessionKey  = sessionKey;
 }
 /// <summary>
 /// Create a Kerberos ticket
 /// </summary>
 /// <param name="ticket">Ticket</param>
 /// <param name="ticketOwner">Owner of ticket</param>
 /// <param name="sessionKey">Session key in ticket</param>
 public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
 {
     this.Ticket = ticket;
     this.TicketOwner = ticketOwner;
     this.SessionKey = sessionKey;
 }
        private static EncryptionKey GetArmorKey(EncryptionKey sessionKey, EncryptionKey subKey, EncryptionKey explicitSubkey = null)
        {
            EncryptionKey armorKey;
            if (explicitSubkey != null)
            {
                armorKey = KerberosUtility.KrbFxCf2(explicitSubkey, sessionKey, "subkeyarmor", "ticketarmor");
                armorKey = KerberosUtility.KrbFxCf2(armorKey, subKey, "explicitarmor", "tgsarmor");
            }
            else
            {
                armorKey = KerberosUtility.KrbFxCf2(subKey, sessionKey, "subkeyarmor", "ticketarmor");
            }

            return armorKey;
        }
        private EncTicketPart RetrieveAndDecryptServiceTicket(KerberosFunctionalClient kerberosClient, out EncryptionKey serviceKey)
        {
            //Create and send AS request
            const KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
            kerberosClient.SendAsRequest(options, null);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects Kerberos Error from KDC");
            //Receive preauthentication required error
            METHOD_DATA methodData;
            KerberosKrbError krbError = kerberosClient.ExpectPreauthRequiredError(out methodData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends AS request with PA-DATA set");
            //Create sequence of PA data
            string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
            PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                0,
                kerberosClient.Context.SelectedEType,
                kerberosClient.Context.CName.Password,
                kerberosClient.Context.CName.Salt);
            PaPacRequest paPacRequest = new PaPacRequest(true);
            Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new[] { paEncTimeStamp.Data, paPacRequest.Data });
            //Create and send AS request
            kerberosClient.SendAsRequest(options, seqOfPaData);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects AS response from KDC");
            KerberosAsResponse asResponse = kerberosClient.ExpectAsResponse();
            BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");

            //Create and send TGS request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends TGS request to KDC");
            kerberosClient.SendTgsRequest(servicePrincipalName, options);

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects TGS response from KDC");
            KerberosTgsResponse tgsResponse = kerberosClient.ExpectTgsResponse();

            BaseTestSite.Assert.AreEqual(servicePrincipalName,
                KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
                "Service principal name in service ticket should match expected.");

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Decrypt SMB2 Service Ticket");
            serviceKey = keyManager.QueryKey(servicePrincipalName, TestConfig.DomainName, kerberosClient.Context.SelectedEType);
            tgsResponse.DecryptTicket(serviceKey);

            return tgsResponse.TicketEncPart;
        }
 /// <summary>
 /// Create and send FAST AS request
 /// </summary>
 /// <param name="kdcOptions">KDC options</param>
 /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
 /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
 /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
 /// <param name="fastOptions">FAST options</param>
 /// <param name="apOptions">AP options in FAST armor field</param>
 public void SendAsRequestWithFastHideCName(
     KdcOptions kdcOptions,
     string cName,
     Asn1SequenceOf<PA_DATA> innerSeqPaData,
     Asn1SequenceOf<PA_DATA> outerSeqPaData,
     EncryptionKey subKey,
     ApOptions apOptions)
 {
     var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
         KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
     Context.Subkey = subKey;
     string sName = KerberosConstValue.KERBEROS_SNAME;
     string domain = this.Context.Realm.Value;
     PrincipalName sname =
         new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
     KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
     kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
     var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody);
     PA_DATA[] elements;
     if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
     {
         elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
         Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
         elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
     }
     else
     {
         elements = new PA_DATA[] { pafxfast.Data };
     }
     Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
     KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
     this.SendPdu(asRequest);
     this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
 }
        private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null)
        {
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator");
            Random r = new Random();
            int seqNum = r.Next();

            Authenticator plaintextAuthenticator = new Authenticator
            {
                authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5),
                crealm = realm,
                cusec = new Microseconds(0),
                ctime = KerberosUtility.CurrentKerberosTime,
                seq_number = new KerbUInt32(seqNum),
                cname = cname,
                subkey = subkey,
                authorization_data = data
            };

            AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH };
            checksum.Bnd = new byte[checksum.Lgth];
            checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
            byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
                checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));

            return plaintextAuthenticator;
        }
        private EncryptedData EncryptTicket(EncTicketPart encTicketPart, EncryptionKey serviceKey)
        {
            Asn1BerEncodingBuffer encodeBuffer = new Asn1BerEncodingBuffer();
            encTicketPart.BerEncode(encodeBuffer, true);
            byte[] encData = KerberosUtility.Encrypt(
                (EncryptionType)serviceKey.keytype.Value,
                serviceKey.keyvalue.ByteArrayValue,
                encodeBuffer.Data,
                (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);

            return new EncryptedData(
                    new KerbInt32(serviceKey.keytype.Value),
                    null,
                    new Asn1OctetString(encData));
        }
        /// <summary>
        /// Create AP request and encode to GSSAPI token
        /// </summary>
        /// <param name="apOptions">AP options</param>
        /// <param name="data">Authorization data</param>
        /// <param name="subkey">Sub-session key in authenticator</param>
        /// <param name="checksumFlags">Checksum flags</param>
        /// <returns></returns>
        private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
        {
            APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));

            Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);

            this.ApRequestAuthenticator = authenticator;
            KerberosApRequest request = new KerberosApRequest(
                Context.Pvno,
                options,
                Context.Ticket,
                authenticator,
                KeyUsageNumber.AP_REQ_Authenticator
                );

            this.client.UpdateContext(request);

            if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
            {
                return(request.ToBytes());
            }
            else
            {
                return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
            }
        }
 public KerberosFastResponse(Asn1SequenceOf<PA_DATA> seqPaData, EncryptionKey strengthenKey, KrbFastFinished finished, long nouce)
 {
     this.FastResponse = new KrbFastResponse(seqPaData, strengthenKey, finished, new KerbUInt32(nouce));
 }
        private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subKey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
        {
            Authenticator     authenticator = CreateAuthenticator(ticket, data, subKey, checksumType, checksumBody);
            KerberosApRequest apRequest     = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);

            return(apRequest);
        }
        public PaFxFastReq CreateTgsPaFxFast(
            EncryptionKey armorKey,
            KerberosTicket armorTicket,
            FastOptions fastOptions,
            ApOptions apOptions,
            Asn1SequenceOf<PA_DATA> seqPaData,
            string sName,
            byte[] apReq,
            IFastArmor armor = null
            )
        {
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);

            //Generate checksum
            var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            var chksum = KerberosUtility.GetChecksum(
                armorKey.keyvalue.ByteArrayValue,
                apReq,
                (int)KeyUsageNumber.FAST_REQ_CHECKSUM,
                checksumType);
            Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));

            KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
            KerberosArmoredRequest armoredReq
                = new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq);
            PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
            paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
            PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
            return paFxfast;
        }
        /// <summary>
        /// Kerberos Client Initialize without server token
        /// </summary>
        private void ClientInitialize()
        {
            this.ApRequestAuthenticator = null;
            // Create and send AS request for pre-authentication
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;

            KerberosTicket ticket = this.GetTGTCachedToken(this.credential, this.serverName);

            if (ticket == null)
            {
                this.SendAsRequest(options, null);

                // Expect recieve preauthentication required error
                METHOD_DATA methodData;
                this.ExpectPreauthRequiredError(out methodData);

                // Create sequence of PA data
                string         timeStamp      = KerberosUtility.CurrentKerberosTime.Value;
                PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
                                                                   0,
                                                                   this.Context.SelectedEType,
                                                                   this.Context.CName.Password,
                                                                   this.Context.CName.Salt);
                PaPacRequest             paPacRequest   = new PaPacRequest(true);
                PaPacOptions             paPacOptions   = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
                Asn1SequenceOf <PA_DATA> seqOfPaData_AS = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
                // Create and send AS request for TGT
                KerberosAsRequest asRequest = this.SendAsRequest(options, seqOfPaData_AS);

                // Expect TGT(AS) Response from KDC
                KerberosAsResponse asResponse = this.ExpectAsResponse();

                // Create and send TGS request
                Asn1SequenceOf <PA_DATA> seqOfPaData_TGS = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
                this.SendTgsRequest(this.serverName, options, seqOfPaData_TGS);

                // Expect TGS Response from KDC
                KerberosTgsResponse tgsResponse = this.ExpectTgsResponse();
                this.UpdateTGTCachedToken(this.Context.Ticket);
            }
            else
            {
                // Restore SessionKey and Ticket from cache
                this.Context.SessionKey    = ticket.SessionKey;
                this.Context.ApSessionKey  = ticket.SessionKey;
                this.Context.Ticket        = ticket;
                this.Context.SelectedEType = (EncryptionType)Context.Ticket.Ticket.enc_part.etype.Value;
            }

            // cache this.Context.Ticket;
            ApOptions apOption;

            GetFlagsByContextAttribute(out apOption);

            AuthorizationData data   = null;
            EncryptionKey     subkey = KerberosUtility.GenerateKey(this.client.Context.ContextKey);

            this.token = this.CreateGssApiToken(apOption,
                                                data,
                                                subkey,
                                                this.Context.ChecksumFlag,
                                                KerberosConstValue.GSSToken.GSSAPI);

            bool isMutualAuth = (contextAttribute & ClientSecurityContextAttribute.MutualAuth)
                                == ClientSecurityContextAttribute.MutualAuth;
            bool isDceStyle = (contextAttribute & ClientSecurityContextAttribute.DceStyle)
                              == ClientSecurityContextAttribute.DceStyle;

            if (isMutualAuth || isDceStyle)
            {
                this.needContinueProcessing = true;
            }
            else
            {
                this.needContinueProcessing = false;
            }
        }
 /// <summary>
 /// Create and send FAST AS request with an unknown armor type
 /// </summary>
 /// <param name="kdcOptions">KDC options</param>
 /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
 /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
 /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
 /// <param name="fastOptions">FAST options</param>
 /// <param name="apOptions">AP options in FAST armor field</param>
 /// <param name="armorType">armorType</param>
 public void SendAsRequestWithFast(
     KdcOptions kdcOptions,
     Asn1SequenceOf<PA_DATA> innerSeqPaData,
     Asn1SequenceOf<PA_DATA> outerSeqPaData,
     EncryptionKey subKey,
     FastOptions fastOptions,
     ApOptions apOptions,
     KrbFastArmorType armorType
     )
 {
     Context.Subkey = subKey;
     string sName = KerberosConstValue.KERBEROS_SNAME;
     string domain = this.Context.Realm.Value;
     PrincipalName sname =
         new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
     KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
     var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType);
     PA_DATA[] elements;
     if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
     {
         elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
         Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
         elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
     }
     else
     {
         elements = new PA_DATA[] { pafxfast.Data };
     }
     Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
     KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
     this.SendPdu(asRequest);
     this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
 }
        public KerberosFastResponse GetKerberosFastRep(EncryptionKey key)
        {
            var armoredRep = GetArmoredRep();
            var decrypted = KerberosUtility.Decrypt((EncryptionType)key.keytype.Value ,
                key.keyvalue.ByteArrayValue,
                armoredRep.enc_fast_rep.cipher.ByteArrayValue,
                (int)KeyUsageNumber.FAST_REP
            );

            KerberosUtility.OnDumpMessage("KRB5:KrbFastArmoredRep(enc-fast-req)",
                "An encrypted KrbFastRep in PA_FX_FAST_REPLY",
                KerberosUtility.DumpLevel.PartialMessage,
                decrypted);

            KrbFastResponse fastrep = new KrbFastResponse();
            fastrep.BerDecode(new Asn1DecodingBuffer(decrypted));
            return new KerberosFastResponse(fastrep);
        }
        /// <summary>
        /// Create and send FAST TGS request
        /// </summary>
        /// <param name="sName">Service principal name</param>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
        /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
        /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
        /// <param name="fastOptions">FAST options</param>
        /// <param name="apOptions">AP options in FAST armor field</param>
        /// <param name="data">Authorization data</param>
        public void SendTgsRequestWithExplicitFast(
            string sName,
            KdcOptions kdcOptions,
            Asn1SequenceOf<PA_DATA> innerSeqPaData,
            Asn1SequenceOf<PA_DATA> outerSeqPaData,
            EncryptionKey subKey,
            FastOptions fastOptions,
            ApOptions apOptions,
            AuthorizationData data = null)
        {
            Context.Subkey = subKey;
            Context.ReplyKey = subKey;
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(bodyBuffer);

            //Create PA-TGS-REQ
            APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
            ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            KerberosApRequest apRequest = CreateApRequest(
                option,
                Context.Ticket,
                subKey,
                data,
                KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
                checksumType,
                bodyBuffer.Data);

            PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);

            Asn1SequenceOf<PA_DATA> tempPaData = null;
            if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
            }
            else
            {
                tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
                tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
            }
            //Create explicit FAST armor
            EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
                Context.SelectedEType,
                "Password04!",
                "This is a salt");
            Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
            KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
                Context.ArmorTicket,
                plaintextAuthenticator,
                KeyUsageNumber.AP_REQ_Authenticator);
            FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);

            //Create armor key
            var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
            Context.FastArmorkey = armorKey;

            //Create PA-FX-FAST
            var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);

            PA_DATA[] elements;
            if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
            {
                elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
                elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
                elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
            }
            else
            {
                elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
            }
            Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);

            this.SendPdu(tgsRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
        }
        public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
        {
            this.TimeStamp = timeStamp;
            this.Usec = usec;

            var keyvalue = KeyGenerator.KrbFxCf2(
                (EncryptionType)armorKey.keytype.Value,
                armorKey.keyvalue.ByteArrayValue,
                userLongTermKey.keyvalue.ByteArrayValue,
                "clientchallengearmor",
                "challengelongterm");
            switch (type)
            {
                case EncryptionType.AES256_CTS_HMAC_SHA1_96:
                    {
                        var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
                        this.Key = key;
                        break;
                    }
                case EncryptionType.RC4_HMAC:
                    {
                        var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
                        this.Key = key;
                        break;
                    }
                default:
                    throw new ArgumentException("Unsupported encryption type.");
            }

            // create a timestamp
            PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
            Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
            paEncTsEnc.BerEncode(currTimeStampBuffer);

            var rawData = currTimeStampBuffer.Data;
            KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
                "Encrypted Timestamp Pre-authentication",
                KerberosUtility.DumpLevel.PartialMessage,
                rawData);

            // encrypt the timestamp
            byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
                                                      this.Key.keyvalue.ByteArrayValue,
                                                      rawData,
                                                      (int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);

            EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
                null,
                new Asn1OctetString(encTimeStamp));

            Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
            encryptedChallenge.BerEncode(paEncTimestampBuffer, true);

            Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
        }
        /// <summary>
        /// Create and send FAST TGS request
        /// </summary>
        /// <param name="sName">Service principal name</param>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
        /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
        /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
        /// <param name="fastOptions">FAST options</param>
        /// <param name="apOptions">AP options in FAST armor field</param>
        /// <param name="data">Authorization data</param>
        public void SendTgsRequestWithFastHideCName(
            string sName,
            PrincipalName cName,
            KdcOptions kdcOptions,
            Asn1SequenceOf<PA_DATA> innerSeqPaData,
            Asn1SequenceOf<PA_DATA> outerSeqPaData,
            EncryptionKey subKey,
            ApOptions apOptions,
            AuthorizationData data = null)
        {
            var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
                KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
            Context.Subkey = subKey;
            Context.ReplyKey = subKey;
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
            kdcReqBody.cname = cName;
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(bodyBuffer);

            APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
            ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            KerberosApRequest apRequest = CreateApRequest(
                option,
                Context.Ticket,
                subKey,
                data,
                KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
                checksumType,
                bodyBuffer.Data);

            PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);

            Asn1SequenceOf<PA_DATA> tempPaData = null;
            if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
            }
            else
            {
                tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
                tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
            }
            var armorKey = GetArmorKey(Context.SessionKey, subKey);
            var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
            Context.FastArmorkey = armorKey;
            PA_DATA[] elements;
            if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
            {
                elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
                elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
                elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
            }
            else
            {
                elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
            }
            Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);

            this.SendPdu(tgsRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
        }
        public static EncryptionKey MakeKey(EncryptionType type, string password, string salt)
        {
            EncryptionKey key = new EncryptionKey(new KerbInt32((long)type), new Asn1OctetString(KeyGenerator.MakeKey(type, password, salt)));

            return(key);
        }
 private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subkey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
 {
     Authenticator authenticator = CreateAuthenticator(ticket, data, subkey, checksumType, checksumBody);
     KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
     return apReq;
 }
Ejemplo n.º 32
0
        /// <summary>
        /// Generate a GCC AP token for the given account and SPN.
        /// </summary>
        /// <param name="kdcIpAddr">KDC IP address</param>
        /// <param name="account">Account Name.</param>
        /// <param name="pwd">Password of the account.</param>
        /// <param name="domain">Domain name.</param>
        /// <param name="spn">SPN</param>
        /// <param name="aType">Account type</param>
        /// <returns>Token</returns>
        public static byte[] GenerateGssApToken(string kdcIpAddr, string account, string pwd, string domain, string spn, KerberosAccountType aType)
        {
            KerberosTestClient client = new KerberosTestClient(
                domain,
                account,
                pwd,
                KerberosAccountType.User,
                kdcIpAddr,
                88,
                Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.TransportType.TCP,
                (KerberosConstValue.OidPkt)Enum.Parse(typeof(KerberosConstValue.OidPkt), "MSKerberosToken"));

            //Create and send AS request
            KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE | KdcOptions.OK_AS_DELEGATE;

            client.SendAsRequest(options, null);

            //Recieve preauthentication required error
            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.METHOD_DATA methodData;
            KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);

            //Create sequence of PA data
            string timeStamp = KerberosUtility.CurrentKerberosTime.Value;

            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaEncTimeStamp paEncTimeStamp = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt);
            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaPacRequest   paPacRequest   = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaPacRequest(true);
            Microsoft.Protocols.TestTools.StackSdk.Asn1.Asn1SequenceOf <PA_DATA>       seqOfPaData    = new Microsoft.Protocols.TestTools.StackSdk.Asn1.Asn1SequenceOf <PA_DATA>(new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
            //Create and send AS request
            client.SendAsRequest(options, seqOfPaData);
            KerberosAsResponse asResponse = client.ExpectAsResponse();

            //Create and send TGS request
            client.SendTgsRequest(spn, options);
            KerberosTgsResponse refTgsResponse = client.ExpectTgsResponse();


            // client.ChangeRealm(childDomain, childDcIp, 88, Microsoft.Protocols.TestTools.StackSdk.Security.Kerberos.TransportType.TCP);
            // client.SendTgsRequest(spn, options);
            // KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();

            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.AuthorizationData data   = null;
            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.EncryptionKey     subkey = Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosUtility.GenerateKey(client.Context.SessionKey);
            byte[] token = client.CreateGssApiToken(Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.ApOptions.None,
                                                    data,
                                                    subkey,
                                                    Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.ChecksumFlags.None,
                                                    KerberosConstValue.GSSToken.GSSAPI
                                                    );

            return(token);
        }
        private Authenticator CreateAuthenticator(
            KerberosTicket ticket,
            AuthorizationData data,
            EncryptionKey subkey,
            ChecksumType checksumType,
            byte[] checksumBody
            )
        {
            Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);

            byte[] checkData = KerberosUtility.GetChecksum(ticket.SessionKey.keyvalue.ByteArrayValue,
                checksumBody, (int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum, checksumType);

            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
            return plaintextAuthenticator;
        }
        /// <summary>
        /// Create authenticator for ChecksumType.ap_authenticator_8003
        /// </summary>
        private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlag)
        {
            Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);

            AuthCheckSum checksum = new AuthCheckSum();

            checksum.Lgth  = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
            checksum.Bnd   = new byte[checksum.Lgth];
            checksum.Flags = (int)checksumFlag;
            byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
                                                              checksum.Bnd, BitConverter.GetBytes(checksum.Flags));

            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
            return(plaintextAuthenticator);
        }
 /// <summary>
 /// Create a KileClient instance.
 /// </summary>
 /// <param name="domain">The realm part of the client's principal identifier.
 /// This argument cannot be null.</param>
 /// <param name="cName">The account to logon the remote machine. Either user account or computer account
 /// This argument cannot be null.</param>
 /// <param name="password">The password of the user. This argument cannot be null.</param>
 /// <param name="accountType">The type of the logon account. User or Computer</param>
 /// <param name="kdcAddress">The IP address of the KDC.</param>
 /// <param name="kdcPort">The port of the KDC.</param>
 /// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
 /// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
 public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, IPAddress kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
 {
     TransportBufferSize        = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
     this.Context               = new KerberosContext(domain, cName, password, accountType, salt, armorTicket, armorSessionKey, KerberosContextType.Client);
     this.kdcAddress            = kdcAddress;
     this.kdcPort               = kdcPort;
     this.transportType         = transportType;
     this.oidPkt                = oidPkt;
     this.Context.TransportType = transportType;
 }
Ejemplo n.º 36
0
 /// <summary>
 /// Create a KileClient instance.
 /// </summary>
 /// <param name="domain">The realm part of the client's principal identifier.
 /// This argument cannot be null.</param>
 /// <param name="cName">The account to logon the remote machine. Either user account or computer account
 /// This argument cannot be null.</param>
 /// <param name="password">The password of the user. This argument cannot be null.</param>
 /// <param name="accountType">The type of the logon account. User or Computer</param>
 /// <param name="kdcAddress">The IP address of the KDC.</param>
 /// <param name="kdcPort">The port of the KDC.</param>
 /// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
 /// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
 public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
     : this(domain, cName, password, accountType, armorTicket, armorSessionKey, IPAddress.Parse(kdcAddress), kdcPort, transportType, oidPkt, salt)
 {
 }
        public PaFxFastReq CreateAsPaFxFast(
            EncryptionKey subKey,
            FastOptions fastOptions,
            ApOptions apOptions,
            Asn1SequenceOf<PA_DATA> seqPaData,
            string sName,
            KDC_REQ_BODY kdcReqBody,
            KrbFastArmorType armorType
            )
        {
            string domain = this.Context.Realm.Value;
            PrincipalName sname =
                new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));

            var armorKey = KerberosUtility.MakeArmorKey(
                Context.SelectedEType,
                subKey.keyvalue.ByteArrayValue,
                Context.ArmorSessionKey.keyvalue.ByteArrayValue);
            Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey));

            Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(encodebuf);
            var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            var chksum = KerberosUtility.GetChecksum(
                armorKey,
                encodebuf.Data,
                (int)KeyUsageNumber.FAST_REQ_CHECKSUM,
                checksumType);
            Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));

            Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey);

            KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
                Context.ArmorTicket,
                plaintextAuthenticator,
                KeyUsageNumber.AP_REQ_Authenticator);

            KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
            KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
            FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request);
            fastArmor.armorType = armorType;
            KerberosArmoredRequest armoredReq
                = new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq);
            PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
            paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
            PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
            return paFxfast;
        }
        /// <summary>
        /// Create AP request and encode to GSSAPI token
        /// </summary>
        /// <param name="apOptions">AP options</param>
        /// <param name="data">Authorization data</param>
        /// <param name="subkey">Sub-session key in authenticator</param>
        /// <param name="checksumFlags">Checksum flags</param>
        /// <returns></returns>
        public byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags,
            Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
        {
            APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));

            Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);

            KerberosApRequest request = new KerberosApRequest(
                Context.Pvno,
                options,
                Context.Ticket,
                authenticator,
                KeyUsageNumber.AP_REQ_Authenticator
                );

            return KerberosUtility.AddGssApiTokenHeader(request, this.oidPkt, gssToken);
        }
 /// <summary>
 /// Create context
 /// </summary>
 /// <param name="domain">Domain name</param>
 /// <param name="cName">Principal name</param>
 /// <param name="password">Password of principal</param>
 /// <param name="accountType">Accoundtype, user or device</param>
 /// <param name="armorTicket">Computer TGT as armor ticket</param>
 /// <param name="armorSessionKey">Computer TGS session key as armor session key</param>
 public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt, KerberosTicket armorTicket, EncryptionKey armorSessionKey)
     : this(domain, cName, password, accountType, salt)
 {
     this.ArmorTicket     = armorTicket;
     this.ArmorSessionKey = armorSessionKey;
     this.SelectedEType   = (EncryptionType)this.ArmorTicket.SessionKey.keytype.Value;
 }
        private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subkey)
        {
            Authenticator plaintextAuthenticator = new Authenticator();

            plaintextAuthenticator.authenticator_vno  = new Asn1Integer(KerberosConstValue.KERBEROSV5);
            plaintextAuthenticator.crealm             = this.Context.CName.Realm;
            plaintextAuthenticator.cusec              = new Microseconds(DateTime.UtcNow.Millisecond);
            plaintextAuthenticator.ctime              = KerberosUtility.CurrentKerberosTime;
            plaintextAuthenticator.seq_number         = new KerbUInt32(0);
            plaintextAuthenticator.cname              = ticket.TicketOwner;
            plaintextAuthenticator.subkey             = subkey;
            plaintextAuthenticator.authorization_data = data;
            return(plaintextAuthenticator);
        }
 public void DecryptTicket(EncryptionKey key)
 {
     DecryptTicket((EncryptionType)key.keytype.Value, key.keyvalue.ByteArrayValue);
 }
        /// <summary>
        /// Create authenticator for ChecksumType.ap_authenticator_8003
        /// </summary>
        private Authenticator CreateAuthenticator(
            KerberosTicket ticket,
            AuthorizationData data,
            EncryptionKey subkey,
            ChecksumFlags checksumFlag
            )
        {
            Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);

            AuthCheckSum checksum = new AuthCheckSum();
            checksum.Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
            checksum.Bnd = new byte[checksum.Lgth];
            checksum.Flags = (int)checksumFlag;
            byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
                checksum.Bnd, BitConverter.GetBytes(checksum.Flags));

            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
            return plaintextAuthenticator;
        }