public DtlsClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
if (clientCredential == null)
{
clientCredential = new CertificateCredential(null);
}
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.DtlsAcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
bStreamSizes = false;
hasMoreFragments = false;
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="attributes">the attributes for server</param>
/// <param name="nlmpConfig">
/// the config for nlmp client, this param maybe null. if null, spng does not support nlmp.
/// </param>
/// <param name="kileConfig">
/// the config for kile client, this param maybe null. if null, spng does not support Kerberos.
/// </param>
/// <exception cref="ArgumentException">at least one of nlmpConfig and kileConfig must not be null</exception>
public SpngClientSecurityContext(
ClientSecurityContextAttribute attributes,
NlmpClientSecurityConfig nlmpConfig,
KerberosClientSecurityConfig kileConfig)
{
InitializeClientSecurityContext(attributes, nlmpConfig, kileConfig, null);
}
public KerberosClientSecurityContext(AccountCredential clientCredential, string serviceName, ClientSecurityContextAttribute contextAttributes)
{
if (clientCredential.DomainName == null)
{
throw new ArgumentNullException(nameof(clientCredential.DomainName));
}
if (clientCredential.AccountName == null)
{
throw new ArgumentNullException(nameof(clientCredential.AccountName));
}
if (clientCredential.Password == null)
{
throw new ArgumentNullException(nameof(clientCredential.Password));
}
if (serviceName == null)
{
throw new ArgumentNullException(nameof(serviceName));
}
this.contextAttribute = contextAttributes;
client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password,
KileAccountType.User);
this.serverName = serviceName;
domain = clientCredential.DomainName;
userLogonName = clientCredential.AccountName;
client.Connect(clientCredential.DomainName, ConstValue.KDC_PORT, KileConnectionType.TCP);
InitContextSize();
}
public static ClientSecurityContext CreateClientSecurityContext(
string serverName,
AccountCredential credential,
ClientSecurityContextAttribute contextAttribute
)
{
return(CreateClientSecurityContext(serverName, credential, KerberosAccountType.User, credential.DomainName, 88, TransportType.TCP, contextAttribute));
}
/// <summary>
/// initialize the client security context.
/// </summary>
/// <param name="attributes">the attributes for server</param>
/// <param name="nlmpConfig">
/// the config for nlmp client, this param maybe null. if null, spng does not support nlmp.
/// </param>
/// <param name="kileConfig">
/// the config for kile client, this param maybe null. if null, spng does not support Kerberos.
/// </param>
/// <param name="sspiConfig">
/// the config for sspi client, this param maybe null. if null, spng does not support sspi.
/// </param>
/// <exception cref="ArgumentException">
/// at least one of nlmpConfig, kileConfig and sspiConfig must not be null
/// </exception>
private void InitializeClientSecurityContext(
ClientSecurityContextAttribute attributes,
NlmpClientSecurityConfig nlmpConfig,
KerberosClientSecurityConfig kileConfig,
SspiClientSecurityConfig sspiConfig)
{
if (nlmpConfig == null && kileConfig == null && sspiConfig == null)
{
throw new ArgumentException("at least one of nlmpConfig, kileConfig and sspiConfig must not be null");
}
List <SecurityConfig> configList = new List <SecurityConfig>();
// build the mech types
List <MechType> mechTypes = new List <MechType>();
if (kileConfig != null)
{
configList.Add(kileConfig);
mechTypes.Add(new MechType(Consts.KerbOidInt));
}
if (nlmpConfig != null)
{
configList.Add(nlmpConfig);
mechTypes.Add(new MechType(Consts.NlmpOidInt));
}
if (sspiConfig != null)
{
configList.Add(sspiConfig);
switch (sspiConfig.SecurityType)
{
case SecurityPackageType.Ntlm:
mechTypes.Add(new MechType(Consts.NlmpOidInt));
break;
case SecurityPackageType.Kerberos:
mechTypes.Add(new MechType(Consts.KerbOidInt));
break;
default:
mechTypes.Add(new MechType(Consts.UnknownOidInt));
break;
}
}
// build a spng config
SpngClientSecurityConfig spngConfig =
new SpngClientSecurityConfig(attributes, new MechTypeList(mechTypes.ToArray()));
// add spng config to config list.
configList.Insert(0, spngConfig);
// initialize the spng client
this.client = new SpngClient(spngConfig);
this.needContinueProcessing = true;
this.packageType = SecurityPackageType.Negotiate;
this.securityConfigList = configList.ToArray();
}
/// <summary>
/// Constructor, use the constructor of base class
/// </summary>
/// <param name="attributes">Security context attributes</param>
/// <param name="mechList">The supported MechType list</param>
/// <exception cref="ArgumentNullException">mechList must not be null</exception>
public SpngClientSecurityConfig(
ClientSecurityContextAttribute attributes,
MechTypeList mechList)
: base((uint)attributes, mechList)
{
if (mechList == null)
{
throw new ArgumentNullException("mechList");
}
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="account">Client account credential.</param>
/// <param name="target">SPN of the service to which the client wishes to authenticate.</param>
/// <param name="securityAttributes">Security Attributes.</param>
public NlmpClientSecurityConfig(
AccountCredential account,
string target,
ClientSecurityContextAttribute securityAttributes)
: base(SecurityPackageType.Ntlm)
{
this.clientCredential = account;
this.targetName = target;
this.SecurityAttributes = securityAttributes;
}
/// <summary>
/// constructor
/// </summary>
/// <param name="credential">the client credential contains the user information</param>
/// <param name="contextAttribute">the client Context Attribute</param>
/// <exception cref="ArgumentNullException">the previousContext must be null</exception>
public NlmpClientSecurityContext(NlmpClientCredential credential, ClientSecurityContextAttribute contextAttribute)
: this(credential)
{
this.contextAttribute = contextAttribute;
this.Context.Integrity = contextAttribute.HasFlag(ClientSecurityContextAttribute.Integrity);
this.Context.ReplayDetect = contextAttribute.HasFlag(ClientSecurityContextAttribute.ReplayDetect);
this.Context.SequenceDetect = contextAttribute.HasFlag(ClientSecurityContextAttribute.SequenceDetect);
this.Context.Confidentiality = contextAttribute.HasFlag(ClientSecurityContextAttribute.Confidentiality);
this.Context.Datagram = contextAttribute.HasFlag(ClientSecurityContextAttribute.Datagram);
this.Context.Identify = contextAttribute.HasFlag(ClientSecurityContextAttribute.Identify);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="clientCredential">Client account credential.</param>
/// <param name="serverPrincipal">Server principal.</param>
/// <param name="contextAttributes">Client security context attributes.</param>
/// <param name="targetDataRep">The data representation, such as byte ordering, on the target.</param>
public SspiClientSecurityConfig(
AccountCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
: base(SecurityPackageType.Unknown)
{
this.clientCredential = clientCredential;
this.serverPrincipal = serverPrincipal;
this.securityAttributes = contextAttributes;
this.targetDataRep = targetDataRep;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="clientCredential">Client account credential.</param>
/// <param name="serverPrincipal">Server principal.</param>
/// <param name="contextAttributes">Client security context attributes.</param>
/// <param name="targetDataRep">The data representation, such as byte ordering, on the target.</param>
public SspiClientSecurityConfig(
AccountCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
: base(SecurityPackageType.Unknown)
{
this.clientCredential = clientCredential;
this.serverPrincipal = serverPrincipal;
this.securityAttributes = contextAttributes;
this.targetDataRep = targetDataRep;
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="account">Account credential.</param>
/// <param name="logonName">Logon name.</param>
/// <param name="serviceName">Service name.</param>
/// <param name="kdcIpAddress">KDC IP address</param>
/// <param name="attributes">Client security attributes.</param>
/// <param name="connectionType">Connection type.</param>
public KerberosClientSecurityConfig(
AccountCredential account,
string serviceName,
ClientSecurityContextAttribute attributes)
: base(SecurityPackageType.Kerberos)
{
this.clientCredential = account;
this.logonName = account.AccountName;
this.serviceName = serviceName;
this.kdcIpAddress = account.DomainName.ParseIPAddress();
this.securityAttributes = attributes;
this.transportType = TransportType.TCP;
}
/// <summary>
/// Constructor with client credential, principal of server, ContextAttributes and TargetDataRep.
/// </summary>
/// <param name="packageType">Specifies the name of the security package with which these credentials will be used
/// </param>
/// <param name="clientCredential">Client account credential</param>
/// <param name="serverPrincipal">Server principal name</param>
/// <param name="contextAttributes">Context attributes</param>
/// <param name="targetDataRep">The data representation, such as byte ordering, on the target.
/// This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.</param>
public SspiClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
this.AcquireCredentialsHandle(clientCredential);
}
/// <summary>
/// Generate a new NlmpClient Security Context
/// </summary>
/// <param name="domain" cref="KerberosClientCredential">Login user Credential</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <returns></returns>
public static ClientSecurityContext CreateClientSecurityContext(
string serverName,
AccountCredential credential,
KerberosAccountType accountType,
IPAddress kdcAddress,
int kdcPort,
TransportType transportType,
ClientSecurityContextAttribute contextAttribute,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
string salt = null
)
{
return(new KerberosClientSecurityContext(serverName, credential, accountType, kdcAddress, kdcPort, transportType, contextAttribute, oidPkt, salt));
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="account">Account credential.</param>
/// <param name="logonName">Logon name.</param>
/// <param name="serviceName">Service name.</param>
/// <param name="kdcIpAddress">KDC IP address</param>
/// <param name="attributes">Client security attributes.</param>
/// <param name="connectionType">Connection type.</param>
public KerberosClientSecurityConfig(
AccountCredential account,
string logonName,
string serviceName,
IPAddress kdcIpAddress,
ClientSecurityContextAttribute attributes,
TransportType transportType)
: base(SecurityPackageType.Kerberos)
{
this.clientCredential = account;
this.logonName = logonName;
this.serviceName = serviceName;
this.kdcIpAddress = kdcIpAddress;
this.securityAttributes = attributes;
this.transportType = transportType;
}
public KerberosClientSecurityContext(AccountCredential clientCredential,
string logonName,
string serviceName,
IPAddress kdcIpAddress,
ClientSecurityContextAttribute contextAttributes,
KileConnectionType transportType)
{
if (clientCredential.DomainName == null)
{
throw new ArgumentNullException(nameof(clientCredential.DomainName));
}
if (clientCredential.AccountName == null)
{
throw new ArgumentNullException(nameof(clientCredential.AccountName));
}
if (clientCredential.Password == null)
{
throw new ArgumentNullException(nameof(clientCredential.Password));
}
if (kdcIpAddress == null)
{
throw new ArgumentNullException(nameof(kdcIpAddress));
}
if (logonName == null)
{
throw new ArgumentNullException(nameof(logonName));
}
if (serviceName == null)
{
throw new ArgumentNullException(nameof(serviceName));
}
client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password,
KileAccountType.User);
service = serviceName;
domain = clientCredential.DomainName;
userLogonName = logonName;
contextAttribute = contextAttributes;
client.Connect(kdcIpAddress.ToString(), ConstValue.KDC_PORT, transportType);
contextSizes = new SecurityPackageContextSizes();
contextSizes.MaxTokenSize = ConstValue.MAX_TOKEN_SIZE;
contextSizes.MaxSignatureSize = ConstValue.MAX_SIGNATURE_SIZE;
contextSizes.BlockSize = ConstValue.BLOCK_SIZE;
contextSizes.SecurityTrailerSize = ConstValue.SECURITY_TRAILER_SIZE;
}
public DtlsClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
if (clientCredential == null)
{
clientCredential = new CertificateCredential(null);
}
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
this.Context = new Sspi.DtlsClientSecurityContext(packageType, clientCredential, serverPrincipal, contextAttributes, targetDataRep) as IDtlsClientSecurityContext;
}
/// <summary>
/// Create a KerberosClientSecurityContext instance.
/// </summary>
/// <param name="domain" cref="KerberosClientCredential">Login user Credential</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClientSecurityContext(
string serverName,
AccountCredential credential,
KerberosAccountType accountType,
IPAddress kdcAddress,
int kdcPort,
TransportType transportType,
ClientSecurityContextAttribute contextAttribute,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
string salt = null
)
{
this.credential = credential;
this.serverName = serverName;
this.contextAttribute = contextAttribute;
this.client = new KerberosClient(this.credential.DomainName, this.credential.AccountName, this.credential.Password, accountType, kdcAddress, kdcPort, transportType, oidPkt, salt);
this.UpdateDefaultSettings();
}
/// <summary>
/// Constructor with client credential, principal of server, ContextAttributes and TargetDataRep.
/// </summary>
/// <param name="packageType">Specifies the name of the security package with which these credentials will be used
/// </param>
/// <param name="clientCredential">Client account credential, if null, use default user account</param>
/// <param name="serverPrincipal">Server principal name</param>
/// <param name="contextAttributes">Context attributes</param>
/// <param name="targetDataRep">The data representation, such as byte ordering, on the target.
/// This parameter can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.</param>
public SspiClientSecurityContext(
SecurityPackageType packageType,
AccountCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.AcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
}
public KerberosClientSecurityContext(AccountCredential clientCredential,
string logonName,
string serviceName,
IPAddress kdcIpAddress,
ClientSecurityContextAttribute contextAttributes,
KileConnectionType transportType)
{
if (clientCredential.DomainName == null)
{
throw new ArgumentNullException(nameof(clientCredential.DomainName));
}
if (clientCredential.AccountName == null)
{
throw new ArgumentNullException(nameof(clientCredential.AccountName));
}
if (clientCredential.Password == null)
{
throw new ArgumentNullException(nameof(clientCredential.Password));
}
if (kdcIpAddress == null)
{
throw new ArgumentNullException(nameof(kdcIpAddress));
}
if (logonName == null)
{
throw new ArgumentNullException(nameof(logonName));
}
if (serviceName == null)
{
throw new ArgumentNullException(nameof(serviceName));
}
client = new KileClient(clientCredential.DomainName, clientCredential.AccountName, clientCredential.Password,
KileAccountType.User);
this.serverName = serviceName;
domain = clientCredential.DomainName;
userLogonName = logonName;
contextAttribute = contextAttributes;
client.Connect(kdcIpAddress.ToString(), ConstValue.KDC_PORT, transportType);
InitContextSize();
}
/// <summary>
/// Generate the Generic Security Service (GSS) Kerberos authentication token for a user.
/// </summary>
/// <param name="user">The user.</param>
/// <returns>The GSS Kerberos authentication token in type of DRS_SecBuffer.</returns>
public static DRS_SecBufferDesc GetAuthenticationToken(string account, string pwd, string domain, string spn)
{
ClientSecurityContextAttribute contextAttr =
ClientSecurityContextAttribute.Connection |
//ClientSecurityContextAttribute.Integrity |
ClientSecurityContextAttribute.Confidentiality
//|
//ClientSecurityContextAttribute.UseSessionKey
//|
//ClientSecurityContextAttribute.Delegate
;
SspiClientSecurityContext securityContext = new SspiClientSecurityContext(
SecurityPackageType.Kerberos,
new AccountCredential(domain, account, pwd),
spn,
contextAttr,
SecurityTargetDataRepresentation.SecurityNativeDrep);
//securityContext.Initialize(null);
string kdcIpAddr = GetIPAddress(domain);
byte[] token = GenerateGssApToken(kdcIpAddr, account, pwd, domain, spn, KerberosAccountType.User);
DRS_SecBufferDesc pClientCreds = new DRS_SecBufferDesc();
pClientCreds.ulVersion = ulVersion_Values.V1;
//pClientCreds.Buffers = null;
pClientCreds.cBuffers = 1;
pClientCreds.Buffers = new DRS_SecBuffer[1];
DRS_SecBuffer secBuf = new DRS_SecBuffer();
secBuf.BufferType = BufferType_Values.SECBUFFER_TOKEN;
secBuf.pvBuffer = token;
secBuf.cbBuffer = (uint)secBuf.pvBuffer.Length;
pClientCreds.Buffers[0] = secBuf;
return(pClientCreds);
}
public DtlsClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
if (clientCredential == null) clientCredential = new CertificateCredential(null);
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.DtlsAcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
bStreamSizes = false;
hasMoreFragments = false;
}
/// <summary>
/// AcquireCredentialsHandle
/// </summary>
/// <param name="accountCredential"></param>
protected void AcquireCredentialsHandle <T>(T accountCredential)
{
if (!string.IsNullOrEmpty(this.serverPrincipalName))
{
this.serverPrincipalName = GetServicePrincipalName(this.serverPrincipalName);
}
switch (packageType)
{
case SecurityPackageType.Ntlm:
{
if (accountCredential is AccountCredential)
{
var credential = accountCredential as AccountCredential;
this.Context = new NlmpClientSecurityContext(
new NlmpClientCredential(
this.serverPrincipalName,
credential.DomainName,
credential.AccountName,
credential.Password)
);
}
else
{
throw new NotSupportedException("NTLM only support AccountCredential, Please provide an AccountCredential and try again.");
}
return;
}
case SecurityPackageType.Kerberos:
{
if (accountCredential is AccountCredential)
{
var credential = accountCredential as AccountCredential;
IPAddress kdcIpAddress = (string.IsNullOrEmpty(KerberosContext.KDCComputerName) ? credential.DomainName : KerberosContext.KDCComputerName).ParseIPAddress();
this.Context = KerberosClientSecurityContext.CreateClientSecurityContext(
this.serverPrincipalName,
credential,
KerberosAccountType.User,
kdcIpAddress,
KerberosContext.KDCPort,
TransportType.TCP,
this.securityContextAttributes
);
}
else
{
throw new NotSupportedException("Kerberos only support AccountCredential, Please provide an AccountCredential and try again.");
}
return;
}
case SecurityPackageType.Negotiate:
{
if (accountCredential is AccountCredential)
{
if (this.securityContextAttributes == ClientSecurityContextAttribute.None)
{
this.securityContextAttributes = ClientSecurityContextAttribute.MutualAuth; // MS-SPNG 3.3.3 The client MUST request Mutual Authentication services
}
var credential = accountCredential as AccountCredential;
NlmpClientSecurityConfig nlmpSecurityConfig = new NlmpClientSecurityConfig(credential, this.serverPrincipalName, this.securityContextAttributes);
IPAddress kdcIpAddress = (string.IsNullOrEmpty(KerberosContext.KDCComputerName) ? credential.DomainName : KerberosContext.KDCComputerName).ParseIPAddress();
KerberosClientSecurityConfig kerberosSecurityConfig = new KerberosClientSecurityConfig(
credential,
credential.AccountName,
this.serverPrincipalName,
kdcIpAddress,
KerberosContext.KDCPort,
this.securityContextAttributes,
TransportType.TCP
);
this.Context = new SpngClientSecurityContext(this.securityContextAttributes, nlmpSecurityConfig, kerberosSecurityConfig);
}
else
{
throw new NotSupportedException("Negotiate SSP only support AccountCredential, Please provide an AccountCredential and try again.");
}
return;
}
//case SecurityPackageType.Schannel:
// throw new NotImplementedException();
//case SecurityPackageType.CredSsp:
// throw new NotImplementedException();
//default:
// throw new NotImplementedException();
}
this.UseNativeSSP(accountCredential);
}
public SspiClientSecurityContext(
SecurityPackageType packageType,
AccountCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.AcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
}
