/// <summary>
/// Update the Authorization Data part in Ticket with new value.
/// </summary>
/// <param name="ticket">Ticket to be updated with new authorizationData</param>
/// <param name="key">The key that encrypts ticket part.</param>
/// <param name="authorizationData">New authorizationData to update.</param>
public static void UpdateAuthDataInTicket(Ticket ticket, byte[] key, AuthorizationData authorizationData)
{
EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value;
byte[] clearText = KerberosUtility.Decrypt(
encryptType,
key,
ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
// Decode the ticket.
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText);
EncTicketPart encTicketPart = new EncTicketPart();
encTicketPart.BerDecode(decodeBuffer);
// Set with new authorization data
encTicketPart.authorization_data = authorizationData;
Asn1BerEncodingBuffer ticketBerBuffer = new Asn1BerEncodingBuffer();
encTicketPart.BerEncode(ticketBerBuffer, true);
byte[] cipherData = KerberosUtility.Encrypt(
encryptType,
key,
ticketBerBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
ticket.enc_part = new EncryptedData(new KerbInt32((int)encryptType), null, new Asn1OctetString(cipherData));
}
/// <summary>
/// Decode GSSAPI token to AP-REP
/// </summary>
/// <param name="token">GSSAPI token</param>
/// <returns></returns>
private KerberosApResponse GetApResponseFromToken(byte[] token, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
if (gssToken == KerberosConstValue.GSSToken.GSSSPNG)
{
token = KerberosUtility.DecodeNegotiationToken(token);
}
if (token[0] == KerberosConstValue.KERBEROS_TAG)
{
byte[] apData = KerberosUtility.VerifyGssApiTokenHeader(token, this.client.OidPkt);
// Check if it has a two-byte tok_id
if (null == apData || apData.Length <= sizeof(TOK_ID))
{
throw new FormatException(
"Data length is shorter than a valid AP Response data length.");
}
// verify TOK_ID
byte[] tokenID = ArrayUtility.SubArray <byte>(apData, 0, sizeof(TOK_ID));
Array.Reverse(tokenID);
TOK_ID id = (TOK_ID)BitConverter.ToUInt16(tokenID, 0);
if (!id.Equals(TOK_ID.KRB_AP_REP))
{
throw new Exception("ApResponse Token ID should be KRB_AP_REP");
}
// Get apBody
token = ArrayUtility.SubArray(apData, sizeof(TOK_ID));
}
KerberosApResponse apRep = new KerberosApResponse();
apRep.FromBytes(token);
// Get the current encryption type, cipher data
EncryptionType encryptType = (EncryptionType)apRep.Response.enc_part.etype.Value;
byte[] cipherData = apRep.Response.enc_part.cipher.ByteArrayValue;
byte[] sessionKey = this.Context.ApSessionKey.keyvalue.ByteArrayValue;
// decrypt enc_part to clear text
byte[] clearText = KerberosUtility.Decrypt(encryptType, sessionKey, cipherData, (int)KeyUsageNumber.AP_REP_EncAPRepPart);
// decode enc_part
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText);
apRep.ApEncPart = new EncAPRepPart();
apRep.ApEncPart.BerDecode(decodeBuffer);
this.client.UpdateContext(apRep);
return(apRep);
}
/// <summary>
/// Decrypt the KRB-PRIV
/// </summary>
/// <param name="subkey">the subkey used to decrypt</param>
public void DecryptKrbPriv(EncryptionKey subkey)
{
byte[] priv = KerberosUtility.Decrypt(
(EncryptionType)subkey.keytype.Value,
subkey.keyvalue.ByteArrayValue,
krb_priv.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.KRB_PRIV_EncPart);
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(priv);
priv_enc_part.BerDecode(decodeBuffer);
}
public void Decrypt(byte[] armorKey)
{
ArmorKey = armorKey;
var decrypted = KerberosUtility.Decrypt(
(Cryptographic.EncryptionType)EncFastReq.etype.Value,
armorKey,
EncFastReq.cipher.ByteArrayValue,
(int)KeyUsageNumber.FAST_ENC);
KrbFastReq krbFastReq = new KrbFastReq();
krbFastReq.BerDecode(new Asn1DecodingBuffer(decrypted));
FastReq = new KerberosFastRequest(krbFastReq);
}
private void DecryptTicket(EncryptionType type, byte[] sessionKey)
{
var ticketEncPartRawData = KerberosUtility.Decrypt(
type,
sessionKey,
Response.ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
TicketEncPart = new EncTicketPart();
TicketEncPart.BerDecode(new Asn1DecodingBuffer(ticketEncPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TicketEncPart",
"Encrypted Ticket in TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
ticketEncPartRawData);
}
public void DecryptTgsResponse(byte[] key, KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)usage);
EncPart = new EncTGSRepPart();
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TGS-REP(enc-part)",
"Encrypted part of TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
/// <summary>
/// Get Authorization Data from Ticket in AS/TGS response
/// </summary>
/// <param name="ticket">Ticket part that includes Auth Data.</param>
/// <param name="key">The key that encrypts ticket part.</param>
/// <returns>Authorization Data in the ticket</returns>
public static AuthorizationData GetAuthDataInTicket(Ticket ticket, byte[] key)
{
EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value;
byte[] clearText = KerberosUtility.Decrypt(
encryptType,
key,
ticket.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
// Decode the ticket.
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText);
EncTicketPart encTicketPart = new EncTicketPart();
encTicketPart.BerDecode(decodeBuffer);
return(encTicketPart.authorization_data);
}
public KerberosFastResponse GetKerberosFastRep(EncryptionKey key)
{
var armoredRep = GetArmoredRep();
var decrypted = KerberosUtility.Decrypt((EncryptionType)key.keytype.Value,
key.keyvalue.ByteArrayValue,
armoredRep.enc_fast_rep.cipher.ByteArrayValue,
(int)KeyUsageNumber.FAST_REP
);
KerberosUtility.OnDumpMessage("KRB5:KrbFastArmoredRep(enc-fast-req)",
"An encrypted KrbFastRep in PA_FX_FAST_REPLY",
KerberosUtility.DumpLevel.PartialMessage,
decrypted);
KrbFastResponse fastrep = new KrbFastResponse();
fastrep.BerDecode(new Asn1DecodingBuffer(decrypted));
return(new KerberosFastResponse(fastrep));
}
public void Decrypt(byte[] key)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var decoded = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.AP_REP_EncAPRepPart);
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
decoded);
ApEncPart = new EncAPRepPart();
ApEncPart.BerDecode(new Asn1DecodingBuffer(decoded));
KerberosUtility.OnDumpMessage("KRB5:AP-REP(enc-part)",
"Encrypted part of AS-REP",
KerberosUtility.DumpLevel.PartialMessage,
decoded);
}
private void DecryptAsResponse(byte[] key)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
int keyUsage = (int)KeyUsageNumber.AS_REP_ENCRYPTEDPART;
if (encryptType == EncryptionType.RC4_HMAC)
{
keyUsage = (int)KeyUsageNumber.TGS_REP_encrypted_part;
}
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
keyUsage);
Asn1DecodingBuffer buf = new Asn1DecodingBuffer(encPartRawData);
Asn1Tag tag = null;
Asn1StandardProcedure.TagBerDecode(buf, out tag);
//Some implementations unconditionally send an encrypted EncTGSRepPart in the field
//regardless of whether the reply is an AS-REP or a TGS-REP.([RFC4120] Section 5.4.2)
if (tag.TagValue == 25) //EncAsRepPart
{
EncPart = new EncASRepPart();
}
else if (tag.TagValue == 26) //EncTgsRepPart
{
EncPart = new EncTGSRepPart();
}
else
{
throw new Exception("Unknown tag number");
}
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:AS-REP(enc-part)",
"Encrypted part of AS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
public override bool Decrypt(params SecurityBuffer[] securityBuffers)
{
return(KerberosUtility.Decrypt(client, securityBuffers));
}
