private static IEnumerable <KrbAuthorizationData> GenerateAuthorizationData(ServiceTicketRequest request)
{
// authorization-data is annoying because it's a sequence of
// ad-if-relevant, which is a sequence of sequences
// it ends up looking something like
//
// [
// {
// Type = ad-if-relevant,
// Data =
// [
// {
// Type = pac,
// Data = encoded-pac
// },
// ...
// ],
// },
// ...
// ]
var authz = new List <KrbAuthorizationData>();
if (request.IncludePac)
{
var pac = request.Principal.GeneratePac();
if (pac != null)
{
pac.ClientInformation = new PacClientInfo
{
ClientId = RpcFileTime.ConvertWithoutMicroseconds(request.Now),
Name = request.Principal.PrincipalName
};
var sequence = new KrbAuthorizationDataSequence
{
AuthorizationData = new[]
{
new KrbAuthorizationData
{
Type = AuthorizationDataType.AdWin2kPac,
Data = pac.Encode(request.KdcAuthorizationKey, request.ServicePrincipalKey)
}
}
};
authz.Add(new KrbAuthorizationData
{
Type = AuthorizationDataType.AdIfRelevant,
Data = sequence.Encode()
});
}
}
return(authz);
}
private static async Task <IEnumerable <KrbAuthorizationData> > GenerateAuthorizationData(
IKerberosPrincipal principal,
ServiceTicketRequest request
)
{
// authorization-data is annoying because it's a sequence of
// ad-if-relevant, which is a sequence of sequences
// it ends up looking something like
//
// [
// {
// Type = ad-if-relevant,
// Data =
// [
// {
// Type = pac,
// Data = encoded-pac
// },
// ...
// ],
// },
// ...
// ]
var authz = new List <KrbAuthorizationData>();
if (request.IncludePac)
{
var pac = await principal.GeneratePac();
if (pac != null)
{
var sequence = new KrbAuthorizationDataSequence
{
AuthorizationData = new[]
{
new KrbAuthorizationData
{
Type = AuthorizationDataType.AdWin2kPac,
Data = pac.Encode(request.ServicePrincipalKey, request.ServicePrincipalKey)
}
}
};
authz.Add(new KrbAuthorizationData
{
Type = AuthorizationDataType.AdIfRelevant,
Data = sequence.Encode()
});
}
}
return(authz);
}
public IEnumerable <KrbAuthorizationData> DecodeAdIfRelevant()
{
if (this.Type != AuthorizationDataType.AdIfRelevant)
{
throw new InvalidOperationException($"Cannot decode AdIfRelevant because type is {this.Type}");
}
var adIfRelevant = KrbAuthorizationDataSequence.Decode(this.Data);
return(adIfRelevant.AuthorizationData);
}
private static async Task <IEnumerable <KrbAuthorizationData> > GenerateAuthorizationData(
IKerberosPrincipal principal,
KerberosKey krbtgt
)
{
// authorization-data is annoying because it's a sequence of
// ad-if-relevant, which is a sequence of sequences
// it ends up looking something like
//
// [
// {
// Type = ad-if-relevant,
// Data =
// [
// {
// Type = pac,
// Data = encoded-pac
// },
// ...
// ],
// },
// ...
// ]
var pac = await principal.GeneratePac();
var authz = new List <KrbAuthorizationData>();
var sequence = new KrbAuthorizationDataSequence
{
AuthorizationData = new[]
{
new KrbAuthorizationData
{
Type = AuthorizationDataType.AdWin2kPac,
Data = pac.Encode(krbtgt, krbtgt)
}
}
};
authz.Add(new KrbAuthorizationData
{
Type = AuthorizationDataType.AdIfRelevant,
Data = sequence.Encode().AsMemory()
});
return(authz);
}
