public void PrincipalName_Equality_ServiceTypes_WithRealm() { var a = KrbPrincipalName.FromString("host/[email protected]"); var b = KrbPrincipalName.FromString("host/[email protected]"); Assert.IsTrue(a.Matches(b)); }
public void KrbAuthenticator_Roundtrip() { var auth = new KrbAuthenticator { AuthorizationData = new[] { new KrbAuthorizationData { Data = new byte[16], Type = AuthorizationDataType.AdAndOr } }, Checksum = KrbChecksum.Create(new byte[16], new KerberosKey(key: new byte[16], etype: EncryptionType.AES128_CTS_HMAC_SHA1_96), KeyUsage.AdKdcIssuedChecksum), CName = KrbPrincipalName.FromString("*****@*****.**"), CTime = DateTimeOffset.UtcNow, CuSec = 1234, Realm = "blah.com", SequenceNumber = 123456, Subkey = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96) }; var encoded = auth.EncodeApplication(); var decoded = KrbAuthenticator.DecodeApplication(encoded); Assert.IsNotNull(decoded); Assert.IsNotNull(decoded.AuthorizationData); Assert.AreEqual(1, decoded.AuthorizationData.Length); Assert.AreEqual(AuthorizationDataType.AdAndOr, decoded.AuthorizationData[0].Type); Assert.AreEqual("*****@*****.**", decoded.CName.FullyQualifiedName); }
public void MultipleVersionsInSameKeytab() { var keys = new[] { new KerberosKey( "password", new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }), host: "appservice", etype: EncryptionType.AES256_CTS_HMAC_SHA1_96, kvno: 1 ), new KerberosKey( "password", new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }), host: "appservice", etype: EncryptionType.AES256_CTS_HMAC_SHA1_96, kvno: 2 ), new KerberosKey( "password", new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "REALM.COM", new[] { "host/appservice" }), host: "appservice", etype: EncryptionType.AES256_CTS_HMAC_SHA1_96, kvno: 12 ) }; var keytable = new KeyTable(keys); var key = keytable.GetKey(EncryptionType.AES256_CTS_HMAC_SHA1_96, KrbPrincipalName.FromString("host/appservice")); Assert.AreEqual(12, key.Version); }
public void PrincipalName_Equality_DifferentServiceTypes() { var a = KrbPrincipalName.FromString("aaaa/aaaa"); var b = KrbPrincipalName.FromString("bbbb/aaaa"); Assert.IsFalse(a.Matches(b)); }
private static object CredToCacheEntry(Krb5Credential cred) { return(new KerberosClientCacheEntry { KdcResponse = new KrbTgsRep { Ticket = KrbTicket.DecodeApplication(cred.Ticket), CName = KrbPrincipalName.FromString(cred.Client.FullyQualifiedName, cred.Client.Type), CRealm = cred.Client.Realm, EncPart = new KrbEncryptedData { } }, SessionKey = new KrbEncryptionKey { EType = cred.KeyBlock.Key, KeyValue = cred.KeyBlock.Value }, Flags = cred.Flags, SName = KrbPrincipalName.FromString(cred.Server.FullyQualifiedName), AuthTime = cred.AuthTime, StartTime = cred.StartTime, EndTime = cred.EndTime, RenewTill = cred.RenewTill <= DateTimeOffset.MinValue ? null : cred.RenewTill }); }
private static KerberosKey ConvertKey(NetworkCredential creds, bool tryAsKey) { string domain = creds.Domain ?? ""; var userSplit = creds.UserName.Split(new[] { '\\', '@' }, StringSplitOptions.RemoveEmptyEntries); string username = userSplit[0]; if (userSplit.Length > 1) { domain = userSplit[1]; } var name = KrbPrincipalName.FromString(username, realm: domain); if (tryAsKey) { return(new KerberosKey( key: Convert.FromBase64String(creds.Password), principal: new PrincipalName(PrincipalNameType.NT_SRV_HST, domain, name.Name), host: username )); } else { return(new KerberosKey( creds.Password, new PrincipalName(PrincipalNameType.NT_SRV_HST, domain, name.Name), host: username )); } }
internal object GetCacheItem(string key) { Krb5Credential cred = this.FindCredential(key); if (cred is null) { return(cred); } return(new KerberosClientCacheEntry { KdcResponse = new KrbTgsRep { Ticket = KrbTicket.DecodeApplication(cred.Ticket), CName = KrbPrincipalName.FromString(cred.Client.FullyQualifiedName), CRealm = cred.Client.Realm, EncPart = new KrbEncryptedData { } }, SessionKey = new KrbEncryptionKey { EType = cred.KeyBlock.Key, KeyValue = cred.KeyBlock.Value }, Flags = cred.Flags, SName = KrbPrincipalName.FromString(cred.Server.FullyQualifiedName) }); }
public void PrincipalName_Equality_Matches() { var a = KrbPrincipalName.FromString("*****@*****.**"); var b = KrbPrincipalName.FromString("*****@*****.**"); Assert.IsTrue(a.Matches(b)); }
public void PrincipalName_X500_IncludeDomain() { var principal = KrbPrincipalName.FromString(principal: "CN=test,OU=blah", type: PrincipalNameType.NT_X500_PRINCIPAL, realm: "corp.test.internal"); Assert.AreEqual("CN=test,OU=blah,DC=corp,DC=test,DC=internal", principal.FullyQualifiedName); Assert.AreEqual(5, principal.Name.Length); }
public void PrincipalName_Empty() { var principal = KrbPrincipalName.FromString(principal: ""); Assert.IsNotNull(principal); Assert.AreEqual("", principal.FullyQualifiedName); }
public void PrincipalName_DifferentRealms() { var principal = KrbPrincipalName.FromString(principal: "*****@*****.**", realm: "corp.test.internal"); Assert.AreEqual("*****@*****.**", principal.FullyQualifiedName); Assert.AreEqual(1, principal.Name.Length); }
public void PrincipalName_SrvInst() { var principal = KrbPrincipalName.FromString(principal: "krbtgt", type: PrincipalNameType.NT_SRV_INST, realm: "corp.test.internal"); Assert.AreEqual("krbtgt/corp.test.internal", principal.FullyQualifiedName); Assert.AreEqual(2, principal.Name.Length); }
public void PrincipalName_Equality_DifferentNames() { var a = KrbPrincipalName.FromString("*****@*****.**"); var b = KrbPrincipalName.FromString("*****@*****.**"); Assert.IsFalse(a.Matches(b)); }
public void PrincipalName_NoRealm_SrvInst() { var principal = KrbPrincipalName.FromString("host/test.internal", type: PrincipalNameType.NT_SRV_INST); Assert.AreEqual("host/test.internal", principal.FullyQualifiedName); Assert.AreEqual(2, principal.Name.Length); }
protected override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { var realmService = new FakeRealmService(Realm); var principal = realmService.Principals.Find(KrbPrincipalName.FromString(UserUpn)); var principalKey = principal.RetrieveLongTermCredential(); var rst = new ServiceTicketRequest { Principal = principal, EncryptedPartKey = principalKey, ServicePrincipalKey = new KerberosKey(key: TgtKey, etype: EncryptionType.AES256_CTS_HMAC_SHA1_96) }; var tgt = KrbAsRep.GenerateTgt(rst, realmService); var encoded = tgt.EncodeApplication(); var response = new Memory <byte>(new byte[encoded.Length + 4]); BinaryPrimitives.WriteInt32BigEndian(response.Span.Slice(0, 4), encoded.Length); encoded.CopyTo(response.Slice(4)); var kdcMessage = new KdcProxyMessage { KerbMessage = response }; return(Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK) { Content = new ByteArrayContent(kdcMessage.Encode().ToArray()) })); }
public void PrincipalName_Equality_Matches_DifferentNameTypes_Service() { var a = KrbPrincipalName.FromString("host/[email protected]", PrincipalNameType.NT_SRV_HST); var b = KrbPrincipalName.FromString("*****@*****.**", PrincipalNameType.NT_PRINCIPAL); Assert.IsFalse(a.Matches(b)); }
public void PrincipalName_NoRealm() { var principal = KrbPrincipalName.FromString("*****@*****.**"); Assert.AreEqual("*****@*****.**", principal.FullyQualifiedName); Assert.AreEqual(1, principal.Name.Length); }
private static TicketCacheEntry CreateCacheEntry(string key = "krbtgt/bar.com") { return(new TicketCacheEntry { Key = key, Value = new KerberosClientCacheEntry { KdcResponse = new KrbAsRep { CName = KrbPrincipalName.FromString("*****@*****.**"), CRealm = "bar.com", Ticket = new KrbTicket { Realm = "bar.com", SName = KrbPrincipalName.FromString(key), EncryptedPart = new KrbEncryptedData { EType = EncryptionType.AES128_CTS_HMAC_SHA1_96, Cipher = Array.Empty <byte>() } } }, SessionKey = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96), SName = KrbPrincipalName.FromString(key) } }); }
public void KerberosKeyExportFile() { var file = KerberosKey.GenerateFile( "P@ssw0rd!", new Guid("0aa29dcb-3a9b-413f-aee2-8df91fd1118e"), KrbPrincipalName.FromString( "host/test.identityintervention.com", PrincipalNameType.NT_SRV_INST, "corp.identityintervention.com" ) ); var keytab = new KeyTable(file.ToArray()); Assert.AreEqual(1, keytab.Entries.Count()); var key = keytab.Entries.First(); Assert.AreEqual(EncryptionType.AES256_CTS_HMAC_SHA1_96, key.EncryptionType); var derivedKey = key.Key.GetKey(null); Assert.IsNotNull(derivedKey); var expectedKey = new byte[] { 0xbc, 0x31, 0x7e, 0x82, 0x48, 0x55, 0xcb, 0xa0, 0x3f, 0x70, 0xbe, 0x93, 0x0a, 0xa5, 0x0f, 0xef, 0x6a, 0x64, 0x7c, 0xc3, 0x99, 0x36, 0x63, 0xee, 0xa5, 0x39, 0x2f, 0xab, 0xd9, 0x01, 0xad, 0xce }; Assert.IsTrue(expectedKey.SequenceEqual(derivedKey.ToArray())); }
public void PrincipalName_Equality_ServiceTypeAliasesMatch() { var a = KrbPrincipalName.FromString("host/aaaa"); var b = KrbPrincipalName.FromString("bbbb/aaaa"); KrbPrincipalName.ServiceAliases["bbbb"] = "host"; Assert.IsTrue(a.Matches(b)); }
public IKerberosPrincipal Refer() { var fqn = body.SName.FullyQualifiedName; var predictedRealm = fqn.Substring(fqn.IndexOf('.') + 1); var krbName = KrbPrincipalName.FromString($"krbtgt/{predictedRealm}"); return(new FakeKerberosPrincipal(krbName.FullyQualifiedName)); }
public void ParseFileRoundTrip() { var tmp = Path.GetTempFileName(); var cache = new Krb5TicketCache(tmp); try { Assert.IsNotNull(cache); cache.Add(new TicketCacheEntry { Key = "krbtgt/bar.com", Value = new KerberosClientCacheEntry { KdcResponse = new KrbAsRep { CName = KrbPrincipalName.FromString("*****@*****.**"), CRealm = "bar.com", Ticket = new KrbTicket { Realm = "bar.com", SName = KrbPrincipalName.FromString("krbtgt/bar.com"), EncryptedPart = new KrbEncryptedData { EType = EncryptionType.AES128_CTS_HMAC_SHA1_96, Cipher = Array.Empty <byte>() } } }, SessionKey = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96), SName = KrbPrincipalName.FromString("krbtgt/bar.com") } }); using (var secondCache = new Krb5TicketCache(tmp)) { var entry = secondCache.GetCacheItem <KerberosClientCacheEntry>("krbtgt/bar.com"); Assert.IsNotNull(entry.KdcResponse); Assert.AreEqual("bar.com", entry.KdcResponse.CRealm); Assert.AreEqual("*****@*****.**", entry.KdcResponse.CName.FullyQualifiedName); } } finally { cache.Dispose(); if (File.Exists(tmp)) { File.Delete(tmp); } } }
public void KerberosKeyIdMatches() { var key = KerberosKey.DeriveFromKeyId( "P@ssw0rd!", new Guid("0aa29dcb-3a9b-413f-aee2-8df91fd1118e"), KrbPrincipalName.FromString( "host/test.identityintervention.com", PrincipalNameType.NT_SRV_INST, "corp.identityintervention.com" ) ); AssertKeyMatchesGuid(key.EncryptionType, key); }
public void ValidateS4uSelf_Modified() { RetrieveS4u(out KrbTgsReq tgsReq, out KrbEncTicketPart krbtgt); var sessionKey = krbtgt.Key; var paForUserPaData = tgsReq.PaData.FirstOrDefault(pa => pa.Type == PaDataType.PA_FOR_USER); Assert.IsNotNull(paForUserPaData); var paForUser = KrbPaForUser.Decode(paForUserPaData.Value); paForUser.UserName = KrbPrincipalName.FromString("*****@*****.**"); paForUser.ValidateChecksum(sessionKey.AsKey()); }
private static KrbApReq CreateFakeApReq() { return(new KrbApReq { Authenticator = new KrbEncryptedData { Cipher = new byte[16], EType = EncryptionType.AES128_CTS_HMAC_SHA1_96 }, Ticket = new KrbTicket { EncryptedPart = new KrbEncryptedData { Cipher = new byte[16], EType = EncryptionType.AES128_CTS_HMAC_SHA1_96 }, Realm = "test.com", SName = KrbPrincipalName.FromString("host/test.com") } }); }
public void Setup() { var realmService = new FakeRealmService("CORP.BLAH.COM"); this.principal = realmService.Principals.Find(KrbPrincipalName.FromString("*****@*****.**")); this.pac = this.principal.GeneratePac(); this.key = new KerberosKey(new byte[32], etype: EncryptionType.AES256_CTS_HMAC_SHA1_96); var groups = new List <GroupMembership>(); for (var i = 0; i < this.GroupSize; i++) { groups.Add(new GroupMembership { Attributes = SidAttributes.SE_GROUP_ENABLED | SidAttributes.SE_GROUP_MANDATORY, RelativeId = (uint)i }); } this.pac.LogonInfo.GroupIds = groups; var extra = new List <RpcSidAttributes>(); for (var i = 0; i < this.ExtraSize; i++) { extra.Add(new RpcSidAttributes { Attributes = SidAttributes.SE_GROUP_ENABLED | SidAttributes.SE_GROUP_MANDATORY, Sid = new RpcSid() { IdentifierAuthority = new RpcSidIdentifierAuthority { IdentifierAuthority = new byte[] { 0, 0, 0, 0, 0, (byte)IdentifierAuthority.NTAuthority } }, SubAuthority = new uint[] { 21, 3333, 4444, 5555, 111 }, Revision = 1 } }); } this.pac.LogonInfo.ExtraIds = extra; }
public void PacGenerationRoundtrip() { var realmService = new FakeRealmService("foo.com"); var krbtgt = realmService.Principals.Find(KrbPrincipalName.WellKnown.Krbtgt()); var key = krbtgt.RetrieveLongTermCredential(); var user = realmService.Principals.Find(KrbPrincipalName.FromString("*****@*****.**")); var pac = user.GeneratePac(); Assert.IsNotNull(pac); var encoded = pac.Encode(key, key); var decoded = new PrivilegedAttributeCertificate(new KrbAuthorizationData { Type = AuthorizationDataType.AdWin2kPac, Data = encoded }); Assert.IsNotNull(decoded.LogonInfo); }
public void KerberosKeyExportFile() { var file = KerberosKey.GenerateFile( "P@ssw0rd!", new Guid("0aa29dcb-3a9b-413f-aee2-8df91fd1118e"), KrbPrincipalName.FromString( "host/test.identityintervention.com", PrincipalNameType.NT_SRV_INST, "corp.identityintervention.com" ) ); var keytab = new KeyTable(file.ToArray()); Assert.AreEqual(1, keytab.Entries.Count()); var key = keytab.Entries.First(); var kerbKey = key.Key; AssertKeyMatchesGuid(key.EncryptionType.Value, kerbKey); }
public void GenerateTgt() { var realmService = new FakeRealmService(Realm); var principal = realmService.Principals.Find(KrbPrincipalName.FromString(UserUpn)); var principalKey = principal.RetrieveLongTermCredential(); var rst = new ServiceTicketRequest { Flags = TicketFlags.EncryptedPreAuthentication | TicketFlags.Renewable | TicketFlags.Forwardable, Principal = principal, EncryptedPartKey = principalKey, ServicePrincipalKey = new KerberosKey(key: TgtKey, etype: etype, kvno: 123) }; for (var i = 0; i < AuthenticationAttempts; i++) { var tgt = KrbAsRep.GenerateTgt(rst, realmService); Assert.IsNotNull(tgt); } }
public void DelegationEncoding_Roundtrip() { var delegInfo = new DelegationInfo() { DelegationTicket = new KrbCred { Tickets = new[] { new KrbTicket { EncryptedPart = new KrbEncryptedData { Cipher = new byte[16], EType = EncryptionType.AES128_CTS_HMAC_SHA1_96 }, Realm = "blah.test.com", SName = KrbPrincipalName.FromString("*****@*****.**"), TicketNumber = 245 } }, EncryptedPart = new KrbEncryptedData { Cipher = new byte[16], EType = EncryptionType.AES128_CTS_HMAC_SHA1_96 } } }; var encoded = delegInfo.Encode(); Assert.IsNotNull(encoded); var decoded = new DelegationInfo().Decode(encoded); Assert.IsNotNull(decoded); Assert.IsNotNull(decoded.DelegationTicket); Assert.IsNotNull(decoded.DelegationTicket.Tickets); Assert.AreEqual(1, decoded.DelegationTicket.Tickets.Length); Assert.IsNotNull(decoded.DelegationTicket.EncryptedPart); }