protected override void TestInitialize()
{
base.TestInitialize();
if (!IsComputerInDomain)
{
BaseTestSite.Assert.Inconclusive("Kerberos Authentication test cases are not applicable in non-domain environment");
}
if (servicePrincipalName == null)
{
servicePrincipalName = Smb2Utility.GetCifsServicePrincipalName(TestConfig.SutComputerName);
}
switch (TestConfig.DefaultSecurityPackage)
{
case TestTools.StackSdk.Security.Sspi.SecurityPackageType.Negotiate:
GssToken = KerberosConstValue.GSSToken.GSSSPNG;
break;
case TestTools.StackSdk.Security.Sspi.SecurityPackageType.Kerberos:
GssToken = KerberosConstValue.GSSToken.GSSAPI;
break;
default:
BaseTestSite.Assert.Inconclusive("Security package: {0} is not applicable for Kerberos Authentication test cases",
TestConfig.DefaultSecurityPackage);
break;
}
}
/// <summary>
/// Add a token header for AP request/response, wrap token or getmic token to make them a complete token.
/// </summary>
/// <param name="tokenBody">The AP request/response, wrap token or getmic token.
/// This argument can be null.</param>
/// <returns>The completed token.</returns>
public static byte[] AddGssApiTokenHeader(byte[] tokenBody,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
List <byte> gssDataList = new List <byte>();
gssDataList.Add(KerberosConstValue.KERBEROS_TAG);
// kerberos oid (1.2.840.113554.1.2.2)
byte[] oid;
oid = KerberosConstValue.GetKerberosOid();
if (tokenBody == null)
{
tokenBody = new byte[0];
}
int length = tokenBody.Length + oid.Length;
if (length > 127)
{
// If the indicated value is 128 or more, it shall be represented in two or more octets,
// with bit 8 of the first octet set to "1" and the remaining bits of the first octet
// specifying the number of additional octets. The subsequent octets carry the value,
// 8 bits per octet, most significant digit first. [rfc 2743]
int temp = length;
int index = 1;
List <byte> lengthList = new List <byte>();
lengthList.Add((byte)(temp & 0xFF));
while ((temp >>= 8) != 0)
{
index++;
lengthList.Add((byte)(temp & 0xFF));
}
gssDataList.Add((byte)(0x80 | index));
lengthList.Reverse();
gssDataList.AddRange(lengthList.ToArray());
}
else
{
// If the indicated value is less than 128, it shall be represented in a single octet with bit 8
// (high order) set to "0" and the remaining bits representing the value. [rfc 2743]
gssDataList.Add((byte)length);
}
gssDataList.AddRange(oid);
gssDataList.AddRange(tokenBody);
if (gssToken == KerberosConstValue.GSSToken.GSSAPI)
{
return(gssDataList.ToArray());
}
else
{
return(KerberosUtility.EncodeInitialNegToken(gssDataList.ToArray(), oidPkt));
}
}
public static byte[] AddGssApiTokenHeader(KerberosApRequest request,
KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken,
KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
byte[] encoded = request.ToBytes();
byte[] token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays(
BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REQ)), encoded), oidPkt, gssToken);
return(token);
}
/// <summary>
/// Decode GSSAPI token to AP-REP
/// </summary>
/// <param name="token">GSSAPI token</param>
/// <returns></returns>
private KerberosApResponse GetApResponseFromToken(byte[] token, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
if (gssToken == KerberosConstValue.GSSToken.GSSSPNG)
{
token = KerberosUtility.DecodeNegotiationToken(token);
}
if (token[0] == KerberosConstValue.KERBEROS_TAG)
{
byte[] apData = KerberosUtility.VerifyGssApiTokenHeader(token, this.client.OidPkt);
// Check if it has a two-byte tok_id
if (null == apData || apData.Length <= sizeof(TOK_ID))
{
throw new FormatException(
"Data length is shorter than a valid AP Response data length.");
}
// verify TOK_ID
byte[] tokenID = ArrayUtility.SubArray <byte>(apData, 0, sizeof(TOK_ID));
Array.Reverse(tokenID);
TOK_ID id = (TOK_ID)BitConverter.ToUInt16(tokenID, 0);
if (!id.Equals(TOK_ID.KRB_AP_REP))
{
throw new Exception("ApResponse Token ID should be KRB_AP_REP");
}
// Get apBody
token = ArrayUtility.SubArray(apData, sizeof(TOK_ID));
}
KerberosApResponse apRep = new KerberosApResponse();
apRep.FromBytes(token);
// Get the current encryption type, cipher data
EncryptionType encryptType = (EncryptionType)apRep.Response.enc_part.etype.Value;
byte[] cipherData = apRep.Response.enc_part.cipher.ByteArrayValue;
byte[] sessionKey = this.Context.ApSessionKey.keyvalue.ByteArrayValue;
// decrypt enc_part to clear text
byte[] clearText = KerberosUtility.Decrypt(encryptType, sessionKey, cipherData, (int)KeyUsageNumber.AP_REP_EncAPRepPart);
// decode enc_part
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText);
apRep.ApEncPart = new EncAPRepPart();
apRep.ApEncPart.BerDecode(decodeBuffer);
this.client.UpdateContext(apRep);
return(apRep);
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
this.ApRequestAuthenticator = authenticator;
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
this.client.UpdateContext(request);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
return(request.ToBytes());
}
else
{
return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
}
}
protected override void TestInitialize()
{
base.TestInitialize();
if (!IsComputerInDomain)
{
BaseTestSite.Assert.Inconclusive("Kerberos Authentication test cases are not applicable in non-domain environment");
}
if (servicePrincipalName == null)
{
servicePrincipalName = Smb2Utility.GetCifsServicePrincipalName(TestConfig.SutComputerName);
}
switch (TestConfig.DefaultSecurityPackage)
{
case TestTools.StackSdk.Security.Sspi.SecurityPackageType.Negotiate:
GssToken = KerberosConstValue.GSSToken.GSSSPNG;
break;
case TestTools.StackSdk.Security.Sspi.SecurityPackageType.Kerberos:
GssToken = KerberosConstValue.GSSToken.GSSAPI;
break;
default:
BaseTestSite.Assert.Inconclusive("Security package: {0} is not applicable for Kerberos Authentication test cases",
TestConfig.DefaultSecurityPackage);
break;
}
}
protected byte[] SendAndRecieveLdapAp(LdapServer ldapServer, byte[] gssApiToken, KerberosConstValue.GSSToken gssToken)
{
SocketTransportConfig transportConfig = new SocketTransportConfig();
transportConfig.RemoteIpAddress = System.Net.IPAddress.Parse(ldapServer.IPAddress);
transportConfig.RemoteIpPort = ldapServer.LdapPort;
transportConfig.BufferSize = 8192;
transportConfig.Type = StackTransportType.Tcp;
transportConfig.Role = Role.Client;
AdtsLdapClient ldapClient = new AdtsLdapClient(AdtsLdapVersion.V3, transportConfig);
ldapClient.Connect();
string gss = (gssToken == KerberosConstValue.GSSToken.GSSSPNG) ? "GSS-SPNEGO" : "GSSAPI";
AdtsBindRequestPacket bindRequest = ldapClient.CreateSaslBindRequest(gss, gssApiToken);
ldapClient.SendPacket(bindRequest);
AdtsLdapPacket response = ldapClient.ExpectPacket(KerberosConstValue.TIMEOUT_DEFAULT);
BaseTestSite.Assert.IsNotNull(response, "Ldap response should not be null");
BaseTestSite.Assert.IsInstanceOfType(response, typeof(AdtsBindResponsePacket), "Ldap response should be a bind response.");
AdtsBindResponsePacket bindResponse = (AdtsBindResponsePacket)response;
//Response code is 14, Sasl Bind In Progress, need future investigate
byte[] repToken = ((BindResponse)bindResponse.GetInnerRequestOrResponse()).serverSaslCreds.ByteArrayValue;
return(repToken);
}