public void AsReqPreAuth_PkinitCertificateAccessible() { var credCert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p"); var cred = new TrustedAsymmetricCredential(credCert, "*****@*****.**"); var asReq = KrbAsReq.CreateAsReq(cred, AuthenticationOptions.AllAuthentication); var handler = new KdcAsReqMessageHandler( asReq.EncodeApplication(), new ListenerOptions { DefaultRealm = "corp.identityintervention.com", RealmLocator = realm => new FakeRealmService(realm) }); handler.PreAuthHandlers[PaDataType.PA_PK_AS_REQ] = service => new PaDataPkAsReqHandler(service) { IncludeOption = X509IncludeOption.EndCertOnly }; var context = new PreAuthenticationContext(); handler.DecodeMessage(context); handler.ExecutePreValidate(context); handler.QueryPreValidate(context); handler.ValidateTicketRequest(context); handler.QueryPreExecute(context); handler.ExecuteCore(context); Assert.AreEqual(PaDataType.PA_PK_AS_REQ, context.ClientAuthority); Assert.AreEqual(1, context.PreAuthenticationState.Count); Assert.IsTrue(context.PreAuthenticationState.TryGetValue(PaDataType.PA_PK_AS_REQ, out PaDataState paState)); var state = paState as PkInitState; Assert.IsNotNull(state); Assert.IsNotNull(state.ClientCertificate); Assert.AreEqual(1, state.ClientCertificate.Count); var clientCert = state.ClientCertificate[0]; Assert.IsFalse(clientCert.HasPrivateKey); Assert.AreEqual(credCert.Thumbprint, clientCert.Thumbprint); }
public async Task PKINIT_Unsupported_KeyAgreement_EC() { var port = NextPort(); using (var cert = new X509Certificate2(ReadDataFile("testuser.pfx"), "p")) using (var listener = StartListener(port)) using (var client = CreateClient(listener)) using (var kerbCred = new TrustedAsymmetricCredential(cert, AdminAtCorpUserName) { KeyAgreement = KeyAgreementAlgorithm.None, SupportsDiffieHellman = false, SupportsEllipticCurveDiffieHellman = true }) { await client.Authenticate(kerbCred); } }
private static async Task RequestAndValidateTickets( string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user); } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } using (var client = new KerberosClient(overrideKdc) { CacheServiceTickets = caching }) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var spn = FakeAppServiceSpn; var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac); } }
private static async Task MultithreadedRequests( int port, int threads, int requests, bool cacheTickets, bool encodeNego, bool includePac, string kdc, X509Certificate2 cert = null ) { using (var listener = StartListener(port)) { var exceptions = new List <Exception>(); KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName); } else { kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword); } using (KerberosClient client = new KerberosClient(kdc)) { client.CacheServiceTickets = cacheTickets; if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() => { for (var i = 0; i < requests; i++) { try { if (i % 2 == 0) { await client.Authenticate(kerbCred); } var ticket = await client.GetServiceTicket(new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired }); Assert.IsNotNull(ticket.ApReq); await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac); } catch (Exception ex) { exceptions.Add(ex); } } })).ToArray()); } listener.Stop(); if (exceptions.Count > 0) { throw new AggregateException($"Failed {exceptions.Count}", exceptions.GroupBy(e => e.GetType()).Select(e => e.First())); } } }
internal static async Task RequestAndValidateTickets( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14 ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient(listener, overrideKdc, caching: caching); using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = ApOptions.MutualRequired, S4uTarget = s4u } ); await ValidateTicket(ticket, includePac : includePac, spn : spn); } }
internal static async Task <List <Exception> > MultithreadedRequests( int threads, int requests, bool cacheTickets, bool encodeNego, bool includePac, string kdc, X509Certificate2 cert, KdcListener listener ) { var exceptions = new List <Exception>(); KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, TestAtCorpUserName); } else { kerbCred = new KerberosPasswordCredential(AdminAtCorpUserName, FakeAdminAtCorpPassword); } KerberosClient client = CreateClient(listener, kdc); using (client) { client.CacheServiceTickets = cacheTickets; if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); Task.WaitAll(Enumerable.Range(0, threads).Select(taskNum => Task.Run(async() => { for (var i = 0; i < requests; i++) { try { if (i % 2 == 0) { await client.Authenticate(kerbCred); } var ticket = await client.GetServiceTicket(new RequestServiceTicket { ServicePrincipalName = FakeAppServiceSpn, ApOptions = ApOptions.MutualRequired }); Assert.IsNotNull(ticket.ApReq); await ValidateTicket(ticket, encodeNego: encodeNego, includePac: includePac); } catch (Exception ex) { exceptions.Add(ex); } } })).ToArray()); } return(exceptions); }
internal static async Task RequestAndValidateTicketsWithCaches( KdcListener listener, string user, string password = null, string overrideKdc = null, KeyTable keytab = null, string s4u = null, bool encodeNego = false, bool caching = false, bool includePac = true, X509Certificate2 cert = null, string spn = FakeAppServiceSpn, KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14, bool allowWeakCrypto = false, bool useWeakCrypto = false, bool mutualAuth = true, KrbTicket s4uTicket = null, bool useKrb5TicketCache = false ) { KerberosCredential kerbCred; if (cert != null) { kerbCred = new TrustedAsymmetricCredential(cert, user) { KeyAgreement = keyAgreement }; } else if (keytab != null) { kerbCred = new KeytabCredential(user, keytab); } else { kerbCred = new KerberosPasswordCredential(user, password); } KerberosClient client = CreateClient( listener, overrideKdc, caching: caching, allowWeakCrypto: allowWeakCrypto, useWeakCrypto: useWeakCrypto, useKrb5TicketCache: useKrb5TicketCache ); using (kerbCred as IDisposable) using (client) { if (!includePac) { client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest; } await client.Authenticate(kerbCred); var ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); await client.RenewTicket(); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0 } ); await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth); ticket = await client.GetServiceTicket( new RequestServiceTicket { ServicePrincipalName = spn, ApOptions = mutualAuth ? ApOptions.MutualRequired : 0, S4uTarget = s4u, S4uTicket = s4uTicket } ); await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth); } if (user.Contains("-fallback")) { Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType); } else { Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType); } }