/// <summary> /// Create AP request and encode to GSSAPI token /// </summary> /// <param name="apOptions">AP options</param> /// <param name="data">Authorization data</param> /// <param name="subkey">Sub-session key in authenticator</param> /// <param name="checksumFlags">Checksum flags</param> /// <returns></returns> private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG) { APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)); Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags); this.ApRequestAuthenticator = authenticator; KerberosApRequest request = new KerberosApRequest( Context.Pvno, options, Context.Ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator ); this.client.UpdateContext(request); if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE) { return(request.ToBytes()); } else { return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken)); } }
public static byte[] AddGssApiTokenHeader(KerberosApRequest request, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG) { byte[] encoded = request.ToBytes(); byte[] token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays( BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REQ)), encoded), oidPkt, gssToken); return(token); }
/// <summary> /// Client initialize with server token /// </summary> /// <param name="serverToken">Server token</param> private void ClientInitialize(byte[] serverToken) { KerberosApResponse apRep = this.GetApResponseFromToken(serverToken, KerberosConstValue.GSSToken.GSSAPI); this.VerifyApResponse(apRep); token = null; if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle) { KerberosApResponse apResponse = this.CreateApResponse(null); var apBerBuffer = new Asn1BerEncodingBuffer(); if (apResponse.ApEncPart != null) { // Encode enc_part apResponse.ApEncPart.BerEncode(apBerBuffer, true); EncryptionKey key = this.Context.ApSessionKey; if (key == null || key.keytype == null || key.keyvalue == null || key.keyvalue.Value == null) { throw new ArgumentException("Ap session key is not valid"); } // Encrypt enc_part EncryptionType eType = (EncryptionType)key.keytype.Value; byte[] cipherData = KerberosUtility.Encrypt( eType, key.keyvalue.ByteArrayValue, apBerBuffer.Data, (int)KeyUsageNumber.AP_REP_EncAPRepPart); apResponse.Response.enc_part = new EncryptedData(new KerbInt32((int)eType), null, new Asn1OctetString(cipherData)); } // Encode AP Response apResponse.Response.BerEncode(apBerBuffer, true); if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE) { // In DCE mode, the AP-REP message MUST NOT have GSS-API wrapping. // It is sent as is without encapsulating it in a header ([RFC2743] section 3.1). this.token = apBerBuffer.Data; } else { this.token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays( BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REP)), apBerBuffer.Data)); } } this.needContinueProcessing = false; // SEC_E_OK; }