public void AsReqPreAuth_PkinitCertificateAccessible()
{
var credCert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p");
var cred = new TrustedAsymmetricCredential(credCert, "*****@*****.**");
var asReq = KrbAsReq.CreateAsReq(cred, AuthenticationOptions.AllAuthentication);
var handler = new KdcAsReqMessageHandler(
asReq.EncodeApplication(),
new ListenerOptions
{
DefaultRealm = "corp.identityintervention.com",
RealmLocator = realm => new FakeRealmService(realm)
});
handler.PreAuthHandlers[PaDataType.PA_PK_AS_REQ] = service => new PaDataPkAsReqHandler(service)
{
IncludeOption = X509IncludeOption.EndCertOnly
};
var context = new PreAuthenticationContext();
handler.DecodeMessage(context);
handler.ExecutePreValidate(context);
handler.QueryPreValidate(context);
handler.ValidateTicketRequest(context);
handler.QueryPreExecute(context);
handler.ExecuteCore(context);
Assert.AreEqual(PaDataType.PA_PK_AS_REQ, context.ClientAuthority);
Assert.AreEqual(1, context.PreAuthenticationState.Count);
Assert.IsTrue(context.PreAuthenticationState.TryGetValue(PaDataType.PA_PK_AS_REQ, out PaDataState paState));
var state = paState as PkInitState;
Assert.IsNotNull(state);
Assert.IsNotNull(state.ClientCertificate);
Assert.AreEqual(1, state.ClientCertificate.Count);
var clientCert = state.ClientCertificate[0];
Assert.IsFalse(clientCert.HasPrivateKey);
Assert.AreEqual(credCert.Thumbprint, clientCert.Thumbprint);
}
public async Task PKINIT_Unsupported_KeyAgreement_EC()
{
var port = NextPort();
using (var cert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p"))
using (var listener = StartListener(port))
using (var client = CreateClient(listener))
using (var kerbCred = new TrustedAsymmetricCredential(cert, AdminAtCorpUserName)
{
KeyAgreement = KeyAgreementAlgorithm.None,
SupportsDiffieHellman = false,
SupportsEllipticCurveDiffieHellman = true
})
{
await client.Authenticate(kerbCred);
}
}
private static async Task RequestAndValidateTickets(
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user);
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
using (var client = new KerberosClient(overrideKdc)
{
CacheServiceTickets = caching
})
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var spn = FakeAppServiceSpn;
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac);
}
}
private static async Task MultithreadedRequests(
int port,
int threads,
int requests,
bool cacheTickets,
bool encodeNego,
bool includePac,
string kdc,
X509Certificate2 cert = null
)
{
using (var listener = StartListener(port))
{
var exceptions = new List <Exception>();
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
}
else
{
kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
}
using (KerberosClient client = new KerberosClient(kdc))
{
client.CacheServiceTickets = cacheTickets;
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
{
for (var i = 0; i < requests; i++)
{
try
{
if (i % 2 == 0)
{
await client.Authenticate(kerbCred);
}
var ticket = await client.GetServiceTicket(new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
});
Assert.IsNotNull(ticket.ApReq);
await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
}
catch (Exception ex)
{
exceptions.Add(ex);
}
}
})).ToArray());
}
listener.Stop();
if (exceptions.Count > 0)
{
throw new AggregateException($"Failed {exceptions.Count}", exceptions.GroupBy(e => e.GetType()).Select(e => e.First()));
}
}
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
}
}
internal static async Task <List <Exception> > MultithreadedRequests(
int threads,
int requests,
bool cacheTickets,
bool encodeNego,
bool includePac,
string kdc,
X509Certificate2 cert,
KdcListener listener
)
{
var exceptions = new List <Exception>();
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName);
}
else
{
kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword);
}
KerberosClient client = CreateClient(listener, kdc);
using (client)
{
client.CacheServiceTickets = cacheTickets;
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() =>
{
for (var i = 0; i < requests; i++)
{
try
{
if (i % 2 == 0)
{
await client.Authenticate(kerbCred);
}
var ticket = await client.GetServiceTicket(new RequestServiceTicket
{
ServicePrincipalName = FakeAppServiceSpn,
ApOptions = ApOptions.MutualRequired
});
Assert.IsNotNull(ticket.ApReq);
await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac);
}
catch (Exception ex)
{
exceptions.Add(ex);
}
}
})).ToArray());
}
return(exceptions);
}
internal static async Task RequestAndValidateTicketsWithCaches(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null,
bool useKrb5TicketCache = false
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(
listener,
overrideKdc,
caching: caching,
allowWeakCrypto: allowWeakCrypto,
useWeakCrypto: useWeakCrypto,
useKrb5TicketCache: useKrb5TicketCache
);
using (kerbCred as IDisposable)
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0,
S4uTarget = s4u,
S4uTicket = s4uTicket
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
}
if (user.Contains("-fallback"))
{
Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
}
else
{
Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
}
}
