public DtlsClientSecurityContext( SecurityPackageType packageType, CertificateCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { if (clientCredential == null) { clientCredential = new CertificateCredential(null); } this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; SspiUtility.DtlsAcquireCredentialsHandle( packageType, clientCredential, serverPrincipal, NativeMethods.SECPKG_CRED_OUTBOUND, out this.credentialHandle); bStreamSizes = false; hasMoreFragments = false; }
/// <summary> /// Constructor. /// </summary> /// <param name="attributes">the attributes for server</param> /// <param name="nlmpConfig"> /// the config for nlmp client, this param maybe null. if null, spng does not support nlmp. /// </param> /// <param name="kileConfig"> /// the config for kile client, this param maybe null. if null, spng does not support Kerberos. /// </param> /// <exception cref="ArgumentException">at least one of nlmpConfig and kileConfig must not be null</exception> public SpngClientSecurityContext( ClientSecurityContextAttribute attributes, NlmpClientSecurityConfig nlmpConfig, KerberosClientSecurityConfig kileConfig) { InitializeClientSecurityContext(attributes, nlmpConfig, kileConfig, null); }
public KerberosClientSecurityContext(AccountCredential clientCredential, string serviceName, ClientSecurityContextAttribute contextAttributes) { if (clientCredential.DomainName == null) { throw new ArgumentNullException(nameof(clientCredential.DomainName)); } if (clientCredential.AccountName == null) { throw new ArgumentNullException(nameof(clientCredential.AccountName)); } if (clientCredential.Password == null) { throw new ArgumentNullException(nameof(clientCredential.Password)); } if (serviceName == null) { throw new ArgumentNullException(nameof(serviceName)); } this.contextAttribute = contextAttributes; client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password, KileAccountType.User); this.serverName = serviceName; domain = clientCredential.DomainName; userLogonName = clientCredential.AccountName; client.Connect(clientCredential.DomainName, ConstValue.KDC_PORT, KileConnectionType.TCP); InitContextSize(); }
public static ClientSecurityContext CreateClientSecurityContext( string serverName, AccountCredential credential, ClientSecurityContextAttribute contextAttribute ) { return(CreateClientSecurityContext(serverName, credential, KerberosAccountType.User, credential.DomainName, 88, TransportType.TCP, contextAttribute)); }
/// <summary> /// initialize the client security context. /// </summary> /// <param name="attributes">the attributes for server</param> /// <param name="nlmpConfig"> /// the config for nlmp client, this param maybe null. if null, spng does not support nlmp. /// </param> /// <param name="kileConfig"> /// the config for kile client, this param maybe null. if null, spng does not support Kerberos. /// </param> /// <param name="sspiConfig"> /// the config for sspi client, this param maybe null. if null, spng does not support sspi. /// </param> /// <exception cref="ArgumentException"> /// at least one of nlmpConfig, kileConfig and sspiConfig must not be null /// </exception> private void InitializeClientSecurityContext( ClientSecurityContextAttribute attributes, NlmpClientSecurityConfig nlmpConfig, KerberosClientSecurityConfig kileConfig, SspiClientSecurityConfig sspiConfig) { if (nlmpConfig == null && kileConfig == null && sspiConfig == null) { throw new ArgumentException("at least one of nlmpConfig, kileConfig and sspiConfig must not be null"); } List <SecurityConfig> configList = new List <SecurityConfig>(); // build the mech types List <MechType> mechTypes = new List <MechType>(); if (kileConfig != null) { configList.Add(kileConfig); mechTypes.Add(new MechType(Consts.KerbOidInt)); } if (nlmpConfig != null) { configList.Add(nlmpConfig); mechTypes.Add(new MechType(Consts.NlmpOidInt)); } if (sspiConfig != null) { configList.Add(sspiConfig); switch (sspiConfig.SecurityType) { case SecurityPackageType.Ntlm: mechTypes.Add(new MechType(Consts.NlmpOidInt)); break; case SecurityPackageType.Kerberos: mechTypes.Add(new MechType(Consts.KerbOidInt)); break; default: mechTypes.Add(new MechType(Consts.UnknownOidInt)); break; } } // build a spng config SpngClientSecurityConfig spngConfig = new SpngClientSecurityConfig(attributes, new MechTypeList(mechTypes.ToArray())); // add spng config to config list. configList.Insert(0, spngConfig); // initialize the spng client this.client = new SpngClient(spngConfig); this.needContinueProcessing = true; this.packageType = SecurityPackageType.Negotiate; this.securityConfigList = configList.ToArray(); }
/// <summary> /// Constructor, use the constructor of base class /// </summary> /// <param name="attributes">Security context attributes</param> /// <param name="mechList">The supported MechType list</param> /// <exception cref="ArgumentNullException">mechList must not be null</exception> public SpngClientSecurityConfig( ClientSecurityContextAttribute attributes, MechTypeList mechList) : base((uint)attributes, mechList) { if (mechList == null) { throw new ArgumentNullException("mechList"); } }
/// <summary> /// Constructor /// </summary> /// <param name="account">Client account credential.</param> /// <param name="target">SPN of the service to which the client wishes to authenticate.</param> /// <param name="securityAttributes">Security Attributes.</param> public NlmpClientSecurityConfig( AccountCredential account, string target, ClientSecurityContextAttribute securityAttributes) : base(SecurityPackageType.Ntlm) { this.clientCredential = account; this.targetName = target; this.SecurityAttributes = securityAttributes; }
/// <summary> /// constructor /// </summary> /// <param name="credential">the client credential contains the user information</param> /// <param name="contextAttribute">the client Context Attribute</param> /// <exception cref="ArgumentNullException">the previousContext must be null</exception> public NlmpClientSecurityContext(NlmpClientCredential credential, ClientSecurityContextAttribute contextAttribute) : this(credential) { this.contextAttribute = contextAttribute; this.Context.Integrity = contextAttribute.HasFlag(ClientSecurityContextAttribute.Integrity); this.Context.ReplayDetect = contextAttribute.HasFlag(ClientSecurityContextAttribute.ReplayDetect); this.Context.SequenceDetect = contextAttribute.HasFlag(ClientSecurityContextAttribute.SequenceDetect); this.Context.Confidentiality = contextAttribute.HasFlag(ClientSecurityContextAttribute.Confidentiality); this.Context.Datagram = contextAttribute.HasFlag(ClientSecurityContextAttribute.Datagram); this.Context.Identify = contextAttribute.HasFlag(ClientSecurityContextAttribute.Identify); }
/// <summary> /// Constructor /// </summary> /// <param name="clientCredential">Client account credential.</param> /// <param name="serverPrincipal">Server principal.</param> /// <param name="contextAttributes">Client security context attributes.</param> /// <param name="targetDataRep">The data representation, such as byte ordering, on the target.</param> public SspiClientSecurityConfig( AccountCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) : base(SecurityPackageType.Unknown) { this.clientCredential = clientCredential; this.serverPrincipal = serverPrincipal; this.securityAttributes = contextAttributes; this.targetDataRep = targetDataRep; }
/// <summary> /// Constructor. /// </summary> /// <param name="account">Account credential.</param> /// <param name="logonName">Logon name.</param> /// <param name="serviceName">Service name.</param> /// <param name="kdcIpAddress">KDC IP address</param> /// <param name="attributes">Client security attributes.</param> /// <param name="connectionType">Connection type.</param> public KerberosClientSecurityConfig( AccountCredential account, string serviceName, ClientSecurityContextAttribute attributes) : base(SecurityPackageType.Kerberos) { this.clientCredential = account; this.logonName = account.AccountName; this.serviceName = serviceName; this.kdcIpAddress = account.DomainName.ParseIPAddress(); this.securityAttributes = attributes; this.transportType = TransportType.TCP; }
/// <summary> /// Constructor with client credential, principal of server, ContextAttributes and TargetDataRep. /// </summary> /// <param name="packageType">Specifies the name of the security package with which these credentials will be used /// </param> /// <param name="clientCredential">Client account credential</param> /// <param name="serverPrincipal">Server principal name</param> /// <param name="contextAttributes">Context attributes</param> /// <param name="targetDataRep">The data representation, such as byte ordering, on the target. /// This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.</param> public SspiClientSecurityContext( SecurityPackageType packageType, CertificateCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; this.AcquireCredentialsHandle(clientCredential); }
/// <summary> /// Generate a new NlmpClient Security Context /// </summary> /// <param name="domain" cref="KerberosClientCredential">Login user Credential</param> /// <param name="accountType">The type of the logon account. User or Computer</param> /// <param name="kdcAddress">The IP address of the KDC.</param> /// <param name="kdcPort">The port of the KDC.</param> /// <param name="transportType">Whether the transport is TCP or UDP transport.</param> /// <returns></returns> public static ClientSecurityContext CreateClientSecurityContext( string serverName, AccountCredential credential, KerberosAccountType accountType, IPAddress kdcAddress, int kdcPort, TransportType transportType, ClientSecurityContextAttribute contextAttribute, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null ) { return(new KerberosClientSecurityContext(serverName, credential, accountType, kdcAddress, kdcPort, transportType, contextAttribute, oidPkt, salt)); }
/// <summary> /// Constructor. /// </summary> /// <param name="account">Account credential.</param> /// <param name="logonName">Logon name.</param> /// <param name="serviceName">Service name.</param> /// <param name="kdcIpAddress">KDC IP address</param> /// <param name="attributes">Client security attributes.</param> /// <param name="connectionType">Connection type.</param> public KerberosClientSecurityConfig( AccountCredential account, string logonName, string serviceName, IPAddress kdcIpAddress, ClientSecurityContextAttribute attributes, TransportType transportType) : base(SecurityPackageType.Kerberos) { this.clientCredential = account; this.logonName = logonName; this.serviceName = serviceName; this.kdcIpAddress = kdcIpAddress; this.securityAttributes = attributes; this.transportType = transportType; }
public KerberosClientSecurityContext(AccountCredential clientCredential, string logonName, string serviceName, IPAddress kdcIpAddress, ClientSecurityContextAttribute contextAttributes, KileConnectionType transportType) { if (clientCredential.DomainName == null) { throw new ArgumentNullException(nameof(clientCredential.DomainName)); } if (clientCredential.AccountName == null) { throw new ArgumentNullException(nameof(clientCredential.AccountName)); } if (clientCredential.Password == null) { throw new ArgumentNullException(nameof(clientCredential.Password)); } if (kdcIpAddress == null) { throw new ArgumentNullException(nameof(kdcIpAddress)); } if (logonName == null) { throw new ArgumentNullException(nameof(logonName)); } if (serviceName == null) { throw new ArgumentNullException(nameof(serviceName)); } client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password, KileAccountType.User); service = serviceName; domain = clientCredential.DomainName; userLogonName = logonName; contextAttribute = contextAttributes; client.Connect(kdcIpAddress.ToString(), ConstValue.KDC_PORT, transportType); contextSizes = new SecurityPackageContextSizes(); contextSizes.MaxTokenSize = ConstValue.MAX_TOKEN_SIZE; contextSizes.MaxSignatureSize = ConstValue.MAX_SIGNATURE_SIZE; contextSizes.BlockSize = ConstValue.BLOCK_SIZE; contextSizes.SecurityTrailerSize = ConstValue.SECURITY_TRAILER_SIZE; }
public DtlsClientSecurityContext( SecurityPackageType packageType, CertificateCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { if (clientCredential == null) { clientCredential = new CertificateCredential(null); } this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; this.Context = new Sspi.DtlsClientSecurityContext(packageType, clientCredential, serverPrincipal, contextAttributes, targetDataRep) as IDtlsClientSecurityContext; }
/// <summary> /// Create a KerberosClientSecurityContext instance. /// </summary> /// <param name="domain" cref="KerberosClientCredential">Login user Credential</param> /// <param name="accountType">The type of the logon account. User or Computer</param> /// <param name="kdcAddress">The IP address of the KDC.</param> /// <param name="kdcPort">The port of the KDC.</param> /// <param name="transportType">Whether the transport is TCP or UDP transport.</param> /// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception> public KerberosClientSecurityContext( string serverName, AccountCredential credential, KerberosAccountType accountType, IPAddress kdcAddress, int kdcPort, TransportType transportType, ClientSecurityContextAttribute contextAttribute, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null ) { this.credential = credential; this.serverName = serverName; this.contextAttribute = contextAttribute; this.client = new KerberosClient(this.credential.DomainName, this.credential.AccountName, this.credential.Password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt); this.UpdateDefaultSettings(); }
/// <summary> /// Constructor with client credential, principal of server, ContextAttributes and TargetDataRep. /// </summary> /// <param name="packageType">Specifies the name of the security package with which these credentials will be used /// </param> /// <param name="clientCredential">Client account credential, if null, use default user account</param> /// <param name="serverPrincipal">Server principal name</param> /// <param name="contextAttributes">Context attributes</param> /// <param name="targetDataRep">The data representation, such as byte ordering, on the target. /// This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.</param> public SspiClientSecurityContext( SecurityPackageType packageType, AccountCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; SspiUtility.AcquireCredentialsHandle( packageType, clientCredential, serverPrincipal, NativeMethods.SECPKG_CRED_OUTBOUND, out this.credentialHandle); }
public KerberosClientSecurityContext(AccountCredential clientCredential, string logonName, string serviceName, IPAddress kdcIpAddress, ClientSecurityContextAttribute contextAttributes, KileConnectionType transportType) { if (clientCredential.DomainName == null) { throw new ArgumentNullException(nameof(clientCredential.DomainName)); } if (clientCredential.AccountName == null) { throw new ArgumentNullException(nameof(clientCredential.AccountName)); } if (clientCredential.Password == null) { throw new ArgumentNullException(nameof(clientCredential.Password)); } if (kdcIpAddress == null) { throw new ArgumentNullException(nameof(kdcIpAddress)); } if (logonName == null) { throw new ArgumentNullException(nameof(logonName)); } if (serviceName == null) { throw new ArgumentNullException(nameof(serviceName)); } client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password, KileAccountType.User); this.serverName = serviceName; domain = clientCredential.DomainName; userLogonName = logonName; contextAttribute = contextAttributes; client.Connect(kdcIpAddress.ToString(), ConstValue.KDC_PORT, transportType); InitContextSize(); }
/// <summary> /// Generate the Generic Security Service (GSS) Kerberos authentication token for a user. /// </summary> /// <param name="user">The user.</param> /// <returns>The GSS Kerberos authentication token in type of DRS_SecBuffer.</returns> public static DRS_SecBufferDesc GetAuthenticationToken(string account, string pwd, string domain, string spn) { ClientSecurityContextAttribute contextAttr = ClientSecurityContextAttribute.Connection | //ClientSecurityContextAttribute.Integrity | ClientSecurityContextAttribute.Confidentiality //| //ClientSecurityContextAttribute.UseSessionKey //| //ClientSecurityContextAttribute.Delegate ; SspiClientSecurityContext securityContext = new SspiClientSecurityContext( SecurityPackageType.Kerberos, new AccountCredential(domain, account, pwd), spn, contextAttr, SecurityTargetDataRepresentation.SecurityNativeDrep); //securityContext.Initialize(null); string kdcIpAddr = GetIPAddress(domain); byte[] token = GenerateGssApToken(kdcIpAddr, account, pwd, domain, spn, KerberosAccountType.User); DRS_SecBufferDesc pClientCreds = new DRS_SecBufferDesc(); pClientCreds.ulVersion = ulVersion_Values.V1; //pClientCreds.Buffers = null; pClientCreds.cBuffers = 1; pClientCreds.Buffers = new DRS_SecBuffer[1]; DRS_SecBuffer secBuf = new DRS_SecBuffer(); secBuf.BufferType = BufferType_Values.SECBUFFER_TOKEN; secBuf.pvBuffer = token; secBuf.cbBuffer = (uint)secBuf.pvBuffer.Length; pClientCreds.Buffers[0] = secBuf; return(pClientCreds); }
public DtlsClientSecurityContext( SecurityPackageType packageType, CertificateCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { if (clientCredential == null) clientCredential = new CertificateCredential(null); this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; SspiUtility.DtlsAcquireCredentialsHandle( packageType, clientCredential, serverPrincipal, NativeMethods.SECPKG_CRED_OUTBOUND, out this.credentialHandle); bStreamSizes = false; hasMoreFragments = false; }
/// <summary> /// AcquireCredentialsHandle /// </summary> /// <param name="accountCredential"></param> protected void AcquireCredentialsHandle <T>(T accountCredential) { if (!string.IsNullOrEmpty(this.serverPrincipalName)) { this.serverPrincipalName = GetServicePrincipalName(this.serverPrincipalName); } switch (packageType) { case SecurityPackageType.Ntlm: { if (accountCredential is AccountCredential) { var credential = accountCredential as AccountCredential; this.Context = new NlmpClientSecurityContext( new NlmpClientCredential( this.serverPrincipalName, credential.DomainName, credential.AccountName, credential.Password) ); } else { throw new NotSupportedException("NTLM only support AccountCredential, Please provide an AccountCredential and try again."); } return; } case SecurityPackageType.Kerberos: { if (accountCredential is AccountCredential) { var credential = accountCredential as AccountCredential; IPAddress kdcIpAddress = (string.IsNullOrEmpty(KerberosContext.KDCComputerName) ? credential.DomainName : KerberosContext.KDCComputerName).ParseIPAddress(); this.Context = KerberosClientSecurityContext.CreateClientSecurityContext( this.serverPrincipalName, credential, KerberosAccountType.User, kdcIpAddress, KerberosContext.KDCPort, TransportType.TCP, this.securityContextAttributes ); } else { throw new NotSupportedException("Kerberos only support AccountCredential, Please provide an AccountCredential and try again."); } return; } case SecurityPackageType.Negotiate: { if (accountCredential is AccountCredential) { if (this.securityContextAttributes == ClientSecurityContextAttribute.None) { this.securityContextAttributes = ClientSecurityContextAttribute.MutualAuth; // MS-SPNG 3.3.3 The client MUST request Mutual Authentication services } var credential = accountCredential as AccountCredential; NlmpClientSecurityConfig nlmpSecurityConfig = new NlmpClientSecurityConfig(credential, this.serverPrincipalName, this.securityContextAttributes); IPAddress kdcIpAddress = (string.IsNullOrEmpty(KerberosContext.KDCComputerName) ? credential.DomainName : KerberosContext.KDCComputerName).ParseIPAddress(); KerberosClientSecurityConfig kerberosSecurityConfig = new KerberosClientSecurityConfig( credential, credential.AccountName, this.serverPrincipalName, kdcIpAddress, KerberosContext.KDCPort, this.securityContextAttributes, TransportType.TCP ); this.Context = new SpngClientSecurityContext(this.securityContextAttributes, nlmpSecurityConfig, kerberosSecurityConfig); } else { throw new NotSupportedException("Negotiate SSP only support AccountCredential, Please provide an AccountCredential and try again."); } return; } //case SecurityPackageType.Schannel: // throw new NotImplementedException(); //case SecurityPackageType.CredSsp: // throw new NotImplementedException(); //default: // throw new NotImplementedException(); } this.UseNativeSSP(accountCredential); }
public SspiClientSecurityContext( SecurityPackageType packageType, AccountCredential clientCredential, string serverPrincipal, ClientSecurityContextAttribute contextAttributes, SecurityTargetDataRepresentation targetDataRep) { this.packageType = packageType; this.serverPrincipalName = serverPrincipal; this.securityContextAttributes = contextAttributes; this.targetDataRepresentaion = targetDataRep; SspiUtility.AcquireCredentialsHandle( packageType, clientCredential, serverPrincipal, NativeMethods.SECPKG_CRED_OUTBOUND, out this.credentialHandle); }