/// <summary>
/// Add a token header for AP request/response, wrap token or getmic token to make them a complete token.
/// </summary>
/// <param name="tokenBody">The AP request/response, wrap token or getmic token.
/// This argument can be null.</param>
/// <returns>The completed token.</returns>
public static byte[] AddGssApiTokenHeader(byte[] tokenBody,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
List <byte> gssDataList = new List <byte>();
gssDataList.Add(KerberosConstValue.KERBEROS_TAG);
// kerberos oid (1.2.840.113554.1.2.2)
byte[] oid;
oid = KerberosConstValue.GetKerberosOid();
if (tokenBody == null)
{
tokenBody = new byte[0];
}
int length = tokenBody.Length + oid.Length;
if (length > 127)
{
// If the indicated value is 128 or more, it shall be represented in two or more octets,
// with bit 8 of the first octet set to "1" and the remaining bits of the first octet
// specifying the number of additional octets. The subsequent octets carry the value,
// 8 bits per octet, most significant digit first. [rfc 2743]
int temp = length;
int index = 1;
List <byte> lengthList = new List <byte>();
lengthList.Add((byte)(temp & 0xFF));
while ((temp >>= 8) != 0)
{
index++;
lengthList.Add((byte)(temp & 0xFF));
}
gssDataList.Add((byte)(0x80 | index));
lengthList.Reverse();
gssDataList.AddRange(lengthList.ToArray());
}
else
{
// If the indicated value is less than 128, it shall be represented in a single octet with bit 8
// (high order) set to "0" and the remaining bits representing the value. [rfc 2743]
gssDataList.Add((byte)length);
}
gssDataList.AddRange(oid);
gssDataList.AddRange(tokenBody);
if (gssToken == KerberosConstValue.GSSToken.GSSAPI)
{
return(gssDataList.ToArray());
}
else
{
return(KerberosUtility.EncodeInitialNegToken(gssDataList.ToArray(), oidPkt));
}
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
{
TransportBufferSize = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
this.Context = new KerberosContext(domain, cName, password, accountType, salt);
this.kdcAddress = kdcAddress;
this.kdcPort = kdcPort;
this.transportType = transportType;
this.oidPkt = oidPkt;
this.Context.TransportType = transportType;
}
public static byte[] AddGssApiTokenHeader(KerberosApRequest request,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
byte[] encoded = request.ToBytes();
byte[] token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays(
BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REQ)), encoded), oidPkt, gssToken);
return(token);
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
{
TransportBufferSize = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
this.Context = new KerberosContext(domain, cName, password, accountType, salt);
this.kdcAddress = kdcAddress;
this.kdcPort = kdcPort;
this.transportType = transportType;
this.oidPkt = oidPkt;
this.Context.TransportType = transportType;
}
/// <summary>
/// Verify and remove a token header from AP request/response,
/// wrap token or getmic token.
/// </summary>
/// <param name="completeToken">The complete token got from application message.
/// This argument can be null. If it is null, null will be returned.</param>
/// <returns>The token body without the header.</returns>
/// <exception cref="System.FormatException">Throw FormatException if the token header is incorrect.</exception>
public static byte[] VerifyGssApiTokenHeader(byte[] completeToken, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken)
{
byte[] oid;
oid = KerberosConstValue.GetKerberosOid();
if (completeToken == null || completeToken.Length < KerberosConstValue.GetKerberosOid().Length)
{
throw new FormatException("The GSS-API token header is incomplete!");
}
if (completeToken[0] != KerberosConstValue.KERBEROS_TAG)
{
throw new FormatException("The GSS-API token header is incorrect!");
}
int length = 0;
int index = 2; // the tag and length fields
// If the length value is 128 or more.
if ((completeToken[1] & 0x80) == 0x80)
{
// If the indicated value is 128 or more, it shall be represented in two or more octets,
// with bit 8 of the first octet set to "1" and the remaining bits of the first octet
// specifying the number of additional octets. The subsequent octets carry the value,
// 8 bits per octet, most significant digit first.
int num = completeToken[1] & 0x7F;
index += num;
if (num < 1 || num > 4)
{
throw new FormatException("The GSS-API token length is incorrect!");
}
for (int i = 0; i < num; ++i)
{
length = (length << 8) | completeToken[2 + i];
}
}
else
{
// If the indicated value is less than 128, it shall be represented in a single octet with bit 8
// (high order) set to "0" and the remaining bits representing the value. [rfc 2743]
length = completeToken[1];
}
if (!ArrayUtility.CompareArrays(oid, ArrayUtility.SubArray(completeToken, index, oid.Length)))
{
throw new FormatException("The GSS-API token oid is incorrect!");
}
byte[] tokenBody = ArrayUtility.SubArray(completeToken, index + oid.Length);
return(tokenBody);
}
/// <summary>
/// Generate a new NlmpClient Security Context
/// </summary>
/// <param name="domain" cref="KerberosClientCredential">Login user Credential</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <returns></returns>
public static ClientSecurityContext CreateClientSecurityContext(
string serverName,
AccountCredential credential,
KerberosAccountType accountType,
IPAddress kdcAddress,
int kdcPort,
TransportType transportType,
ClientSecurityContextAttribute contextAttribute,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
string salt = null
)
{
return(new KerberosClientSecurityContext(serverName, credential, accountType, kdcAddress, kdcPort, transportType, contextAttribute, oidPkt, salt));
}
/// <summary>
/// Create a KerberosClientSecurityContext instance.
/// </summary>
/// <param name="domain" cref="KerberosClientCredential">Login user Credential</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClientSecurityContext(
string serverName,
AccountCredential credential,
KerberosAccountType accountType,
IPAddress kdcAddress,
int kdcPort,
TransportType transportType,
ClientSecurityContextAttribute contextAttribute,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
string salt = null
)
{
this.credential = credential;
this.serverName = serverName;
this.contextAttribute = contextAttribute;
this.client = new KerberosClient(this.credential.DomainName, this.credential.AccountName, this.credential.Password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt);
this.UpdateDefaultSettings();
}
public static void ClassInitialize(TestContext testContext)
{
Initialize(testContext);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Check if current computer is in a domain.");
try
{
using (Domain domain = Domain.GetComputerDomain())
{
DomainController dc = domain.FindDomainController(LocatorOptions.KdcRequired);
KDCIP = dc.IPAddress;
IsComputerInDomain = true;
}
KDCPort = DefaultKdcPort;
OidPkt = KerberosConstValue.OidPkt.KerberosToken;
}
catch
{
IsComputerInDomain = false;
}
}
public static byte[] EncodeInitialNegToken(byte[] token,
KerberosConstValue.OidPkt oidPkt)
{
int[] oidInt;
if (oidPkt == KerberosConstValue.OidPkt.KerberosToken)
{
oidInt = KerberosConstValue.GetKerberosOidInt();
}
else if (oidPkt == KerberosConstValue.OidPkt.MSKerberosToken)
{
oidInt = KerberosConstValue.GetMsKerberosOidInt();
}
else
{
throw new NotSupportedException("oid not support");
}
MechTypeList mechTypeList = new MechTypeList(
new MechType[]
{
new MechType(oidInt)
}
);
Asn1OctetString octetString = new Asn1OctetString(token);
NegTokenInit init = new NegTokenInit(mechTypeList, null, new Asn1OctetString(octetString.ByteArrayValue), new Asn1OctetString((byte[])null));
NegotiationToken negToken = new NegotiationToken(NegotiationToken.negTokenInit, init);
MechType spnegoMech = new MechType(KerberosConstValue.GetSpngOidInt());
InitialNegToken initToken = new InitialNegToken(spnegoMech, negToken);
Asn1BerEncodingBuffer buffer = new Asn1BerEncodingBuffer();
initToken.BerEncode(buffer);
return(buffer.Data);
}
public static void ClassInitialize(TestContext testContext)
{
Initialize(testContext);
BaseTestSite.Log.Add(LogEntryKind.Debug, "Check if current computer is in a domain.");
try
{
using (Domain domain = Domain.GetComputerDomain())
{
DomainController dc = domain.FindDomainController(LocatorOptions.KdcRequired);
KDCIP = dc.IPAddress;
IsComputerInDomain = true;
}
KDCPort = DefaultKdcPort;
OidPkt = KerberosConstValue.OidPkt.KerberosToken;
}
catch
{
IsComputerInDomain = false;
}
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
: this(domain, cName, password, accountType, armorTicket, armorSessionKey, IPAddress.Parse(kdcAddress), kdcPort, transportType, oidPkt, salt)
{
}
