public KileApRequest CreateApRequest(
ApOptions apOptions,
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData)
{
var request = new KileApRequest(context);
request.Authenticator = CreateAuthenticator(
checksumType,
seqNumber,
flag,
subkey,
authorizationData,
context.ApSessionKey,
null);
request.Request.ap_options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
request.Request.msg_type = new Asn1Integer((int)MsgType.KRB_AP_REQ);
request.Request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
request.Request.ticket = context.ApTicket;
return(request);
}
public KileApRequest CreateApRequest(ApOptions apOptions,
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData)
{
return(CreateApRequest(context.UserRealm, context.UserName, apOptions, checksumType, seqNumber, flag,
subkey, authorizationData));
}
/// <summary>
/// Get the ApOptions flag and Checksum flag by the context attribute
/// </summary>
/// <param name="apOption">The apOptions flag</param>
/// <param name="checksumFlags">The checksum flag</param>
private void GetFlagsByContextAttribute(out ApOptions apOptions, out ChecksumFlags checksumFlags)
{
apOptions = ApOptions.None;
checksumFlags = ChecksumFlags.None;
if ((contextAttribute & ClientSecurityContextAttribute.Delegate) == ClientSecurityContextAttribute.Delegate)
{
throw new NotSupportedException("ContextAttribute.Delegate is not supported currently!");
}
if ((contextAttribute & ClientSecurityContextAttribute.UseSessionKey)
== ClientSecurityContextAttribute.UseSessionKey)
{
throw new NotSupportedException("ContextAttribute.UseSessionKey is not supported currently!");
}
if ((contextAttribute & ClientSecurityContextAttribute.MutualAuth)
== ClientSecurityContextAttribute.MutualAuth)
{
checksumFlags |= ChecksumFlags.GSS_C_MUTUAL_FLAG;
apOptions |= ApOptions.MutualRequired;
}
if ((contextAttribute & ClientSecurityContextAttribute.ReplayDetect)
== ClientSecurityContextAttribute.ReplayDetect)
{
checksumFlags |= ChecksumFlags.GSS_C_REPLAY_FLAG;
}
if ((contextAttribute & ClientSecurityContextAttribute.SequenceDetect)
== ClientSecurityContextAttribute.SequenceDetect)
{
checksumFlags |= ChecksumFlags.GSS_C_SEQUENCE_FLAG;
}
if ((contextAttribute & ClientSecurityContextAttribute.Confidentiality)
== ClientSecurityContextAttribute.Confidentiality)
{
checksumFlags |= ChecksumFlags.GSS_C_CONF_FLAG;
}
if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle)
{
checksumFlags |= ChecksumFlags.GSS_C_DCE_STYLE;
}
if ((contextAttribute & ClientSecurityContextAttribute.ExtendedError)
== ClientSecurityContextAttribute.ExtendedError)
{
checksumFlags |= ChecksumFlags.GSS_C_EXTENDED_ERROR_FLAG;
}
if ((contextAttribute & ClientSecurityContextAttribute.Integrity)
== ClientSecurityContextAttribute.Integrity)
{
checksumFlags |= ChecksumFlags.GSS_C_INTEG_FLAG;
}
if ((contextAttribute & ClientSecurityContextAttribute.Identify) == ClientSecurityContextAttribute.Identify)
{
checksumFlags |= ChecksumFlags.GSS_C_IDENTIFY_FLAG;
}
}
/// <summary>
/// Create authenticator for AP request or part of PA-DATA for TGS request.
/// </summary>
/// <param name="cRealm">This field contains the name of the realm in which the client is registered and in
/// which initial authentication took place.</param>
/// <param name="cName">This field contains the name part of the client's principal identifier.</param>
/// <param name="checksumType">The checksum type selected.</param>
/// <param name="seqNumber">The current local sequence number.</param>
/// <param name="flag">The flag set in checksum field of Authenticator.</param>
/// <param name="subkey">Specify the new subkey used in the following exchange. This field is optional.
/// This argument can be got with method GenerateKey(ApSessionKey).
/// This argument can be null. If this argument is null, no subkey will be sent.</param>
/// <param name="authorizationData">The authentication data of authenticator. This field is optional.
/// This argument can be generated by method ConstructAuthorizationData. This argument can be null.
/// If this argument is null, no Authorization Data will be sent.</param>
/// <param name="key">The key to do checksum.</param>
/// <param name="checksumBody">The data to compute checksum.</param>
/// <returns>The created authenticator.</returns>
private Authenticator CreateAuthenticator(Realm cRealm,
PrincipalName cName,
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData,
EncryptionKey key,
byte[] checksumBody)
{
Authenticator plaintextAuthenticator = new Authenticator();
plaintextAuthenticator.authenticator_vno = new Asn1Integer(ConstValue.KERBEROSV5);
plaintextAuthenticator.crealm = cRealm;
plaintextAuthenticator.cname = cName;
plaintextAuthenticator.cusec = new Microseconds(0);
plaintextAuthenticator.ctime = KileUtility.CurrentKerberosTime;
plaintextAuthenticator.seq_number = new KerbUInt32(seqNumber);
plaintextAuthenticator.subkey = subkey;
plaintextAuthenticator.authorization_data = authorizationData;
if (checksumType == ChecksumType.ap_authenticator_8003)
{
// compute the checksum
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = ConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)flag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd,
BitConverter.GetBytes(checksum.Flags));
// in AP request
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
else
{
// in TGS PA data
byte[] checkData = KileUtility.GetChecksum(
key.keyvalue.ByteArrayValue,
checksumBody,
(int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum,
checksumType);
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
return(plaintextAuthenticator);
}
/// <summary>
/// Create authenticator for AP request or part of PA-DATA for TGS request.
/// </summary>
/// <param name="cRealm">This field contains the name of the realm in which the client is registered and in
/// which initial authentication took place.</param>
/// <param name="cName">This field contains the name part of the client's principal identifier.</param>
/// <param name="checksumType">The checksum type selected.</param>
/// <param name="seqNumber">The current local sequence number.</param>
/// <param name="flag">The flag set in checksum field of Authenticator.</param>
/// <param name="subkey">Specify the new subkey used in the following exchange. This field is optional.
/// This argument can be got with method GenerateKey(ApSessionKey).
/// This argument can be null. If this argument is null, no subkey will be sent.</param>
/// <param name="authorizationData">The authentication data of authenticator. This field is optional.
/// This argument can be generated by method ConstructAuthorizationData. This argument can be null.
/// If this argument is null, no Authorization Data will be sent.</param>
/// <param name="key">The key to do checksum.</param>
/// <param name="checksumBody">The data to compute checksum.</param>
/// <returns>The created authenticator.</returns>
private Authenticator CreateAuthenticator(
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData,
EncryptionKey key,
byte[] checksumBody)
{
var plaintextAuthenticator = CreateAuthenticator(authorizationData, subkey, seqNumber);
if (checksumType == ChecksumType.ap_authenticator_8003)
{
// compute the checksum
var checksum = new AuthCheckSum();
checksum.Lgth = ConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)flag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd,
BitConverter.GetBytes(checksum.Flags));
// in AP request
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
else
{
// in TGS PA data
byte[] checkData = KerberosUtility.GetChecksum(
key.keyvalue.ByteArrayValue,
checksumBody,
(int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum,
checksumType);
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
return(plaintextAuthenticator);
}
public KileApRequest CreateApRequest(
Realm cRealm,
PrincipalName cName,
ApOptions apOptions,
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData)
{
if (cRealm == null)
{
throw new ArgumentNullException("cRealm");
}
if (cName == null)
{
throw new ArgumentNullException("cName");
}
KileApRequest request = new KileApRequest(context);
request.Authenticator = CreateAuthenticator(cRealm,
cName,
checksumType,
seqNumber,
flag,
subkey,
authorizationData,
context.ApSessionKey,
null);
request.Request.ap_options = new APOptions(KileUtility.ConvertInt2Flags((int)apOptions));
request.Request.msg_type = new Asn1Integer((int)MsgType.KRB_AP_REQ);
request.Request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
request.Request.ticket = context.ApTicket;
return(request);
}
/// <summary>
/// Create authenticator for ChecksumType.ap_authenticator_8003
/// </summary>
private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlag)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)checksumFlag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return(plaintextAuthenticator);
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
this.ApRequestAuthenticator = authenticator;
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
this.client.UpdateContext(request);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
return(request.ToBytes());
}
else
{
return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
}
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subkey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumFlags checksumFlag)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subkey, checksumFlag);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return apReq;
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
public byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags,
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
return KerberosUtility.AddGssApiTokenHeader(request, this.oidPkt, gssToken);
}
/// <summary>
/// Create authenticator for ChecksumType.ap_authenticator_8003
/// </summary>
private Authenticator CreateAuthenticator(
KerberosTicket ticket,
AuthorizationData data,
EncryptionKey subkey,
ChecksumFlags checksumFlag
)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)checksumFlag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return plaintextAuthenticator;
}