public string CreateKerbAsResp(string uid, out TGTicket tgticket)
{
User user = LoginService.GetUser(uid);
TGTicket tgTicket = new TGTicket(user.UserCode);
string key1 = KeyType.Session_Key_1; //Client与TGS的会话密钥
string iv = KeyType.Iv; //或者直接写成 "********"
//StringBuilder strBuilder = new StringBuilder();
//strBuilder.Append(tgTicket.Uid);
//strBuilder.Append("|");
//strBuilder.Append(tgTicket.TS2);
//strBuilder.Append("|");
//strBuilder.Append(tgTicket.LifeTime2);
string strBuilder1 = string.Concat(tgTicket.Uid, "|", Convert.ToString(tgTicket.TS2));
string strBuilder = string.Concat(strBuilder1, "|", Convert.ToString(tgTicket.LifeTime2));
//string[] strArray = encryptTicket.Split('|'); // 解密之后应有的操作
//string test = desCryp.GenerateDesCryProvider(ref key1, ref iv); // 测试会话key的数据
string encrypttgTicket = desCryp.Encrypt(strBuilder, KeyType.AS_TGS_Key, KeyType.Iv); //TGTicket票据的加密
// 主要是确保随机密钥的安全性:下面就是数字签名的流程
key1 = desCryp.GenerateDesCryProvider(ref key1, ref iv);
//string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1);
string hashData = "";
rsaCrpt.GetHash(key1, ref hashData);
string rsasign = ""; //key1text的数字签名
rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign);
string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", key1), "|", user.UserCode), KeyType.AS_Client_Key, KeyType.Iv);
kerbAsResp = string.Concat(kerbAsResp, ",", rsasign);
//string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", desCryp.GenerateDesCryProvider(ref key1, ref iv)), "|", user.UserCode), KeyType.AS_Client_Key, KeyType.Iv); // AS向Client发回的响应
tgticket = tgTicket; //tgticket = des.Encrypt(tgTicket,key1,iv); //tgticket不需要被加密处理
return kerbAsResp; //最终AS向Client发送的数据
}
public User UserValidate(KerbASRequest kerbAsReq, ref string errorInfo, out TGTicket tgticket, out string kerbAsResponse)
{
User user = LoginService.GetUser(kerbAsReq.UserName, kerbAsReq.UserPwd);
if (user == null)
{
errorInfo = "输入的用户名和密码错误";
tgticket = null;
kerbAsResponse = "";
return null;
}
else
{
//TGTicket tgTicket = new TGTicket(user.UserCode);
//string key1 = KeyType.Session_Key_1; //Client与TGS的会话密钥
//string iv = KeyType.Iv; // Or "********"
////StringBuilder strBuilder = new StringBuilder();
////strBuilder.Append(tgTicket.Uid);
////strBuilder.Append("|");
////strBuilder.Append(tgTicket.TS2);
////strBuilder.Append("|");
////strBuilder.Append(tgTicket.LifeTime2);
//string strBuilder1 = string.Concat(tgTicket.Uid, "|", Convert.ToString(tgTicket.TS2));
//string strBuilder = string.Concat(strBuilder1, "|", Convert.ToString(tgTicket.LifeTime2));
////string[] strArray = encryptTicket.Split('|'); 解密之后应有的操作
//string encrypttgTicket = desCryp.Encrypt(strBuilder, KeyType.AS_TGS_Key, KeyType.Iv); //TGTicket票据的加密
//string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", desCryp.GenerateDesCryProvider(ref key1, ref iv)),"|",user.UserCode), KeyType.AS_Client_Key, KeyType.Iv); // AS向Client发回的响应
////tgticket = des.Encrypt(tgTicket,key1,iv);
//tgticket = tgTicket;
//kerbAsResponse = kerbAsResp; //最终AS向Client发送的数据
TGTicket tgTicket;
kerbAsResponse = CreateKerbAsResp(user.UserCode, out tgTicket);
tgticket = tgTicket;
return user;
}
}
/*
*
* TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密
*
* TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效;
* 有效的话,则直接产生STicket
* **/
public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse)
{
// out型参数可以不被初始化
string session_key_1 = kerbTgsRequest.session_key_1;
string encryptUid = kerbTgsRequest.encryptUid;
//TGTicket tgticket = kerbTgsRequest.tgticket;
string encrptTgsTicket = kerbTgsRequest.encyptgsTicket;
string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv);
string[] ticketArray = tgticket.Split('|');
string uid = ticketArray[0];
DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
double lifetime2 = Convert.ToDouble(ticketArray[2]);
TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2);
string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv);
string errorInfo = string.Empty;
if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid)))
{
errorInfo = "TGS票据被修改,uid的值已经被改变";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse);
}
else if (IsTGTExpired(tgtTicket))
{
errorInfo = "TGS票据过期";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求
}
else
{
// 下面就是TGS服务器向Client发送的 uid与STicket中的uid是一样的
STicket sticket = new STicket(uid);
string key1 = KeyType.Client_AP_Key; //Client与AP应用服务之间的会话密钥
string iv = KeyType.Iv; // Or "********"
string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4));
string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4));
string strBuilder3 = string.Concat(strBuilder2, "|", uid);
string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1));
string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv); //加密过后的STicket
// 下面实现一个时间戳验证
//DateTime ts4_1 = DateTime.Now;
//string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv);
// 主要是确保随机密钥的安全性:下面就是数字签名的流程
key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv);
//string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1);
string hashData = "";
rsaCrpt.GetHash(key1, ref hashData);
string rsasign = ""; //key1text的数字签名
rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign);
string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid); // AS向Client发回的响应
//kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign);
tgsvalid = true;
kerbTgsResponse = kerbTgsResp;
}
}
public bool IsTGTExpired(TGTicket tgticket)
{
DateTime now = DateTime.Now;
TimeSpan span = (TimeSpan)(now - tgticket.TS2);
if (span.TotalMinutes > tgticket.LifeTime2)
{
return true; // 票据过期
}
return false;
}
// Client处理TGT 登录过程 【有uid】
public Client(string uid)
{
this.Uid = uid;
this.tgTicket = new TGTicket(uid);
this.kerbAsResponse = asServer.CreateKerbAsResp(uid, out tgTicket);
}
