public ETypeNegotiationRestriction(KrbAuthorizationData authz) : base(authz?.Type ?? 0, AuthorizationDataType.AdETypeNegotiation) { var etypes = KrbETypeList.Decode(authz.Data); this.ETypes = new List <EncryptionType>(etypes.List); }
private void ShowAuthorizationData(string title, KrbAuthorizationData auth) { if (auth != null) { AADKerberosLogger.Save($" {title}.Type: {auth.Type}"); AADKerberosLogger.Save($" {title}.Data.Length: {auth.Data.Length}"); AADKerberosLogger.Save($" {title}.Data.Value:"); AADKerberosLogger.PrintBinaryData(auth.Data.ToArray()); } }
public KerbAuthDataTokenRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbAuthDataTokenRestrictions) { var restriction = KrbAuthorizationDataSequence.Decode(authz.Data); foreach (var data in restriction.AuthorizationData) { RestrictionType = (int)data.Type; Restriction = new LsapTokenInfoIntegrity(data.Data.ToArray()); break; } }
private void DecodePac(DecryptedKrbApReq krbApReq, List <Claim> claims, KrbAuthorizationData authz) { var pac = new PrivilegedAttributeCertificate(authz.Data.ToArray()); if (!pac.HasRequiredFields) { return; } if (validator.ValidateAfterDecrypt.HasFlag(ValidationActions.Pac)) { ValidatePacSignature(pac, krbApReq.SName); } MergeAttributes(krbApReq.Ticket, pac, claims); }
private void DecodeAdIfRelevant( DecryptedKrbApReq krbApReq, List <Claim> claims, KrbAuthorizationData authData, List <Restriction> restrictions ) { var adif = authData.DecodeAdIfRelevant(); foreach (var authz in adif) { switch (authz.Type) { case AuthorizationDataType.AdIfRelevant: DecodeAdIfRelevant(krbApReq, claims, authz, restrictions); break; case AuthorizationDataType.AdWin2kPac: DecodePac(krbApReq, claims, authz, restrictions); break; case AuthorizationDataType.AdETypeNegotiation: restrictions.Add(new ETypeNegotiationRestriction(authz)); break; case AuthorizationDataType.KerbAuthDataTokenRestrictions: restrictions.Add(new KerbAuthDataTokenRestriction(authz)); break; case AuthorizationDataType.KerbApOptions: restrictions.Add(new KerbApOptionsRestriction(authz)); break; case AuthorizationDataType.KerbLocal: restrictions.Add(new KerbLocalRestriction(authz)); break; case AuthorizationDataType.KerbServiceTarget: restrictions.Add(new KerbServiceTargetRestriction(authz)); break; default: Debug.WriteLine($"Unknown authorization-data type {authData.Type} \r\n{authData.Data.DumpHex()}"); break; } } }
private void DecodePac(DecryptedKrbApReq krbApReq, List <Claim> claims, KrbAuthorizationData authz, List <Restriction> restrictions) { var pac = new PrivilegedAttributeCertificate(authz, SignatureMode.Server); if (!pac.HasRequiredFields) { return; } if (this.validator.ValidateAfterDecrypt.HasFlag(ValidationActions.Pac)) { this.ValidatePacSignature(pac, krbApReq.SName); } this.MergeAttributes(krbApReq.Ticket, pac, claims); restrictions.Add(pac); }
public KerbApOptionsRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbApOptions) { Options = (ApOptions)authz.Data.AsLong(littleEndian: true); }
public KerbLocalRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbLocal) { Value = authz.Data.ToArray(); }
public KerbServiceTargetRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbServiceTarget) { ServiceName = Encoding.Unicode.GetString(authz.Data.ToArray()); }
public KerbLocalRestriction(KrbAuthorizationData authz) : base(authz?.Type ?? 0, AuthorizationDataType.KerbLocal) { this.Value = new ReadOnlySequence <byte>(authz.Data); }
public KerbApOptionsRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbApOptions) { Options = (ApOptions)BinaryPrimitives.ReadInt32LittleEndian(authz.Data.Span); }
public KerbServiceTargetRestriction(KrbAuthorizationData authz) : base(authz.Type, AuthorizationDataType.KerbServiceTarget) { ServiceName = MemoryMarshal.Cast <byte, char>(authz.Data.Span).ToString(); }