/// <summary> /// Decode GSSAPI token to AP-REP /// </summary> /// <param name="token">GSSAPI token</param> /// <returns></returns> private KerberosApResponse GetApResponseFromToken(byte[] token, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG) { if (gssToken == KerberosConstValue.GSSToken.GSSSPNG) { token = KerberosUtility.DecodeNegotiationToken(token); } if (token[0] == KerberosConstValue.KERBEROS_TAG) { byte[] apData = KerberosUtility.VerifyGssApiTokenHeader(token, this.client.OidPkt); // Check if it has a two-byte tok_id if (null == apData || apData.Length <= sizeof(TOK_ID)) { throw new FormatException( "Data length is shorter than a valid AP Response data length."); } // verify TOK_ID byte[] tokenID = ArrayUtility.SubArray <byte>(apData, 0, sizeof(TOK_ID)); Array.Reverse(tokenID); TOK_ID id = (TOK_ID)BitConverter.ToUInt16(tokenID, 0); if (!id.Equals(TOK_ID.KRB_AP_REP)) { throw new Exception("ApResponse Token ID should be KRB_AP_REP"); } // Get apBody token = ArrayUtility.SubArray(apData, sizeof(TOK_ID)); } KerberosApResponse apRep = new KerberosApResponse(); apRep.FromBytes(token); // Get the current encryption type, cipher data EncryptionType encryptType = (EncryptionType)apRep.Response.enc_part.etype.Value; byte[] cipherData = apRep.Response.enc_part.cipher.ByteArrayValue; byte[] sessionKey = this.Context.ApSessionKey.keyvalue.ByteArrayValue; // decrypt enc_part to clear text byte[] clearText = KerberosUtility.Decrypt(encryptType, sessionKey, cipherData, (int)KeyUsageNumber.AP_REP_EncAPRepPart); // decode enc_part Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText); apRep.ApEncPart = new EncAPRepPart(); apRep.ApEncPart.BerDecode(decodeBuffer); this.client.UpdateContext(apRep); return(apRep); }