private protected KerberosAPReplyAuthenticationToken(byte[] data, DERValue[] values)
: base(data, values)
{
ProtocolVersion = 5;
MessageType = KRB_MSG_TYPE.KRB_AP_REP;
EncryptedPart = new KerberosEncryptedData();
}
/// <summary>
/// Try and parse data into an ASN1 authentication token.
/// </summary>
/// <param name="data">The data to parse.</param>
/// <param name="token">The Negotiate authentication token.</param>
/// <param name="values">Parsed DER Values.</param>
internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthenticationToken token)
{
token = null;
try
{
var ret = new KerberosAPReplyAuthenticationToken(data, values);
if (values.Length != 1 || !values[0].CheckApplication(15) || !values[0].HasChildren())
{
return(false);
}
values = values[0].Children;
if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren())
{
return(false);
}
foreach (var next in values[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
return(false);
}
break;
case 1:
if ((KerberosMessageType)next.ReadChildInteger() != KerberosMessageType.KRB_AP_REP)
{
return(false);
}
break;
case 2:
if (!next.HasChildren())
{
return(false);
}
ret.EncryptedPart = KerberosEncryptedData.Parse(next.Children[0]);
break;
default:
return(false);
}
}
token = ret;
return(true);
}
catch (InvalidDataException)
{
return(false);
}
}
internal static KerberosEncryptedData Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosEncryptedData ret = new KerberosEncryptedData();
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
ret.EncryptionType = (KerberosEncryptionType)next.ReadChildInteger();
break;
case 1:
ret.KeyVersion = next.ReadChildInteger();
break;
case 2:
ret.CipherText = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
return(ret);
}
internal static bool Parse(KerberosEncryptedData orig_data, byte[] decrypted, out KerberosEncryptedData ticket)
{
ticket = null;
try {
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(27) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosAPReplyEncryptedPart(orig_data);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
ret.ClientTime = next.ReadChildGeneralizedTime();
break;
case 1:
ret.ClientUSec = next.ReadChildInteger();
break;
case 2:
if (!next.HasChildren())
{
return(false);
}
ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], string.Empty, new KerberosPrincipalName());
break;
case 3:
ret.SequenceNumber = next.ReadChildInteger();
break;
default:
return(false);
}
}
ticket = ret;
} catch (InvalidDataException) {
return(false);
} catch (EndOfStreamException) {
return(false);
}
return(true);
}
private protected KerberosAPRequestAuthenticationToken(byte[] data, DERValue[] values)
: base(data, values)
{
ProtocolVersion = 5;
MessageType = KRB_MSG_TYPE.KRB_AP_REQ;
Ticket = new KerberosTicket();
Authenticator = new KerberosEncryptedData();
}
internal static KerberosTicket Parse(DERValue value)
{
if (!value.CheckApplication(1) || !value.HasChildren())
{
throw new InvalidDataException();
}
if (!value.Children[0].CheckSequence())
{
throw new InvalidDataException();
}
KerberosTicket ret = new KerberosTicket();
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
throw new InvalidDataException();
}
break;
case 1:
ret.Realm = next.ReadChildGeneralString();
break;
case 2:
if (!next.Children[0].CheckSequence())
{
throw new InvalidDataException();
}
ret.ServerName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 3:
if (!next.HasChildren())
{
throw new InvalidDataException();
}
ret.EncryptedData = KerberosEncryptedData.Parse(next.Children[0]);
break;
default:
throw new InvalidDataException();
}
}
return(ret);
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (!Ticket.Decrypt(tmp_keys, KerberosKeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KerberosKeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.Keys);
if (!Ticket.Decrypt(tmp_keys, RC4KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, RC4KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (!Ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (ticket != null || authenticator != null)
{
var ret = (KerberosTGTReplyAuthenticationToken)MemberwiseClone();
ret.Ticket = ticket ?? ret.Ticket;
return(ret);
}
return(base.Decrypt(keyset));
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData encdata = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
List <KerberosTicket> dec_tickets = new List <KerberosTicket>();
bool decrypted_ticket = false;
foreach (var ticket in Tickets)
{
if (ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket dec_ticket))
{
dec_tickets.Add(dec_ticket);
decrypted_ticket = true;
}
else
{
dec_tickets.Add(ticket);
}
}
if (EncryptedPart.Decrypt(tmp_keys, string.Empty, new KerberosPrincipalName(), KeyUsage.KrbCred, out byte[] decrypted))
private KerberosAPReplyEncryptedPart(KerberosEncryptedData orig_data)
: base(orig_data.EncryptionType, orig_data.KeyVersion, orig_data.CipherText)
{
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData encrypted_part = null;
KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (EncryptedPart.Decrypt(tmp_keyset, string.Empty, new KerberosPrincipalName(), KerberosKeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
private protected KerberosAPReplyAuthenticationToken(byte[] data, DERValue[] values)
: base(data, values, KerberosMessageType.KRB_AP_REP)
{
EncryptedPart = new KerberosEncryptedData();
}
private protected KerberosAPRequestAuthenticationToken(byte[] data, DERValue[] values)
: base(data, values, KerberosMessageType.KRB_AP_REQ)
{
Ticket = new KerberosTicket(new byte[0]);
Authenticator = new KerberosEncryptedData();
}
internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket)
{
ticket = null;
try
{
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(2) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosAuthenticator(orig_data);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
return(false);
}
break;
case 1:
ret.ClientRealm = next.ReadChildGeneralString();
break;
case 2:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 3:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.Checksum = KerberosChecksum.Parse(next.Children[0]);
break;
case 4:
ret.ClientUSec = next.ReadChildInteger();
break;
case 5:
ret.ClientTime = next.ReadChildGeneralizedTime();
break;
case 6:
if (!next.HasChildren())
{
return(false);
}
ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
break;
case 7:
ret.SequenceNumber = next.ReadChildInteger();
break;
case 8:
if (!next.HasChildren())
{
return(false);
}
ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]);
break;
default:
return(false);
}
}
if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null)
{
KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]);
if (ret.SubKey != null)
{
tmp_keyset.Add(ret.SubKey);
}
gssapi.Decrypt(tmp_keyset);
}
ticket = ret;
}
catch (InvalidDataException)
{
return(false);
}
catch (EndOfStreamException)
{
return(false);
}
return(true);
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
{
KerberosEncryptedData encrypted_part = null;
if (EncryptedPart.Decrypt(keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
private KerberosAuthenticator(KerberosEncryptedData orig_data)
: base(orig_data.EncryptionType, orig_data.KeyVersion, orig_data.CipherText)
{
AuthenticatorVersion = 5;
}
/// <summary>
/// Try and parse data into an ASN1 authentication token.
/// </summary>
/// <param name="data">The data to parse.</param>
/// <param name="token">The Negotiate authentication token.</param>
/// <param name="values">Parsed DER Values.</param>
internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthenticationToken token)
{
token = null;
try
{
var ret = new KerberosAPRequestAuthenticationToken(data, values);
if (values.Length != 1 || !values[0].CheckApplication(14) || !values[0].HasChildren())
{
return(false);
}
values = values[0].Children;
if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren())
{
return(false);
}
Queue <DERValue> queue = new Queue <DERValue>(values[0].Children);
while (queue.Count > 0)
{
var next = queue.Dequeue();
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
return(false);
}
break;
case 1:
if ((KRB_MSG_TYPE)next.ReadChildInteger() != KRB_MSG_TYPE.KRB_AP_REQ)
{
return(false);
}
break;
case 2:
if (!next.Children[0].CheckPrimitive(UniversalTag.BIT_STRING))
{
return(false);
}
var bits = next.Children[0].ReadBitString();
var options = KerberosAPRequestOptions.None;
if (bits[1])
{
options |= KerberosAPRequestOptions.UseSessionKey;
}
if (bits[2])
{
options |= KerberosAPRequestOptions.MutualAuthRequired;
}
ret.Options = options;
break;
case 3:
if (!next.HasChildren())
{
return(false);
}
ret.Ticket = KerberosTicket.Parse(next.Children[0]);
break;
case 4:
if (!next.HasChildren())
{
return(false);
}
ret.Authenticator = KerberosEncryptedData.Parse(next.Children[0]);
break;
default:
return(false);
}
}
token = ret;
return(true);
}
catch (InvalidDataException)
{
return(false);
}
}