private IKeyAgreement FromDiffieHellmanDomainParameters(KrbSubjectPublicKeyInfo clientPublicValue)
{
var parameters = KrbDiffieHellmanDomainParameters.DecodeSpecial(clientPublicValue.Algorithm.Parameters.Value);
IKeyAgreement agreement;
if (this.IsSupportedAlgorithm(KeyAgreementAlgorithm.DiffieHellmanModp14, Oakley.Group14.Prime, parameters.P))
{
var cachedKey = this.Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp14);
agreement = CryptoPal.Platform.DiffieHellmanModp14(cachedKey);
}
else if (this.IsSupportedAlgorithm(KeyAgreementAlgorithm.DiffieHellmanModp2, Oakley.Group2.Prime, parameters.P))
{
var cachedKey = this.Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp2);
agreement = CryptoPal.Platform.DiffieHellmanModp2(cachedKey);
}
else
{
var length = parameters.P.Length * 8;
throw new InvalidOperationException($"Unsupported Diffie Hellman key agreement parameter with length {length}");
}
var publicKey = DiffieHellmanKey.ParsePublicKey(clientPublicValue.SubjectPublicKey, agreement.PublicKey.KeyLength);
agreement.ImportPartnerKey(publicKey);
return(agreement);
}
public void ParsePaPkAsReq_SignedAuthPack_ParseAuthPack()
{
KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq);
SignedCms signedCms = new SignedCms();
signedCms.Decode(asreq.SignedAuthPack.ToArray());
signedCms.CheckSignature(verifySignatureOnly: true);
KrbAuthPack authPack = KrbAuthPack.Decode(signedCms.ContentInfo.Content);
Assert.IsNotNull(authPack);
var param = authPack.ClientPublicValue.Algorithm.Parameters.Value;
var b64 = Convert.ToBase64String(param.ToArray());
var domainParams = KrbDiffieHellmanDomainParameters.DecodeSpecial(param);
Assert.IsNotNull(domainParams);
var special = domainParams.EncodeSpecial();
Assert.IsTrue(special.Span.SequenceEqual(param.ToArray()));
var decodedPk = CryptEncode.CryptDecodePublicParameter(authPack.ClientPublicValue.SubjectPublicKey).Slice(16);
}
private async Task <IKeyAgreement> FromDiffieHellmanDomainParametersAsync(KrbSubjectPublicKeyInfo clientPublicValue)
{
var parameters = KrbDiffieHellmanDomainParameters.DecodeSpecial(clientPublicValue.Algorithm.Parameters.Value);
IKeyAgreement agreement = null;
switch (parameters.P.Length)
{
case 128:
agreement = CryptoPal.Platform.DiffieHellmanModp2(
await Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp2)
);
break;
case 256:
agreement = CryptoPal.Platform.DiffieHellmanModp14(
await Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp14)
);
break;
default:
throw new InvalidOperationException("Unknown key agreement parameter");
}
var publicKey = DiffieHellmanKey.ParsePublicKey(clientPublicValue.SubjectPublicKey, agreement.PublicKey.KeyLength);
agreement.ImportPartnerKey(publicKey);
return(agreement);
}
private KrbAuthPack CreateDiffieHellmanAuthPack(KrbKdcReqBody body)
{
using (var sha1 = CryptoPal.Platform.Sha1())
{
var encoded = body.Encode();
var paChecksum = sha1.ComputeHash(encoded.Span);
var parametersAreCached = this.CacheKeyAgreementParameters(this.agreement);
if (parametersAreCached)
{
var etype = GetPreferredEType(body.EType, this.Configuration.Defaults.AllowWeakCrypto);
if (etype is null)
{
throw new InvalidOperationException("Cannot find a common EType");
}
this.clientDHNonce = GenerateNonce(etype.Value, this.agreement.PublicKey.KeyLength);
}
var domainParams = KrbDiffieHellmanDomainParameters.FromKeyAgreement(this.agreement);
var authPack = new KrbAuthPack
{
PKAuthenticator = new KrbPKAuthenticator
{
Nonce = body.Nonce,
PaChecksum = paChecksum
},
ClientPublicValue = new KrbSubjectPublicKeyInfo
{
Algorithm = new KrbAlgorithmIdentifier
{
Algorithm = DiffieHellman,
Parameters = domainParams.EncodeSpecial()
},
SubjectPublicKey = this.agreement.PublicKey.EncodePublicKey()
},
ClientDHNonce = this.clientDHNonce
};
return(authPack);
}
}
private async Task <IKeyAgreement> FromDiffieHellmanDomainParametersAsync(KrbSubjectPublicKeyInfo clientPublicValue)
{
var parameters = KrbDiffieHellmanDomainParameters.DecodeSpecial(clientPublicValue.Algorithm.Parameters.Value);
var agreement = parameters.P.Length switch
{
128 => CryptoPal.Platform.DiffieHellmanModp2(
await Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp2)
),
256 => CryptoPal.Platform.DiffieHellmanModp14(
await Service.Principals.RetrieveKeyCache(KeyAgreementAlgorithm.DiffieHellmanModp14)
),
_ => throw new InvalidOperationException("Unknown key agreement parameter"),
};
var publicKey = DiffieHellmanKey.ParsePublicKey(clientPublicValue.SubjectPublicKey);
agreement.ImportPartnerKey(publicKey);
return(agreement);
}
private KrbAuthPack CreateDiffieHellmanAuthPack(KrbKdcReqBody body)
{
using (var sha1 = CryptoPal.Platform.Sha1())
{
var encoded = body.Encode();
var paChecksum = sha1.ComputeHash(encoded.Span);
var parametersAreCached = CacheKeyAgreementParameters(agreement);
if (parametersAreCached)
{
clientDHNonce = GenerateNonce(body.EType.First(), agreement.PublicKey.KeyLength);
}
var domainParams = KrbDiffieHellmanDomainParameters.FromKeyAgreement(agreement);
var authPack = new KrbAuthPack
{
PKAuthenticator = new KrbPKAuthenticator
{
Nonce = body.Nonce,
PaChecksum = paChecksum
},
ClientPublicValue = new KrbSubjectPublicKeyInfo
{
Algorithm = new KrbAlgorithmIdentifier
{
Algorithm = DiffieHellman,
Parameters = domainParams.EncodeSpecial()
},
SubjectPublicKey = agreement.PublicKey.EncodePublicKey()
},
ClientDHNonce = clientDHNonce
};
return(authPack);
}
}
