private protected KerberosAPReplyAuthenticationToken(byte[] data, DERValue[] values) : base(data, values) { ProtocolVersion = 5; MessageType = KRB_MSG_TYPE.KRB_AP_REP; EncryptedPart = new KerberosEncryptedData(); }
/// <summary> /// Try and parse data into an ASN1 authentication token. /// </summary> /// <param name="data">The data to parse.</param> /// <param name="token">The Negotiate authentication token.</param> /// <param name="values">Parsed DER Values.</param> internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthenticationToken token) { token = null; try { var ret = new KerberosAPReplyAuthenticationToken(data, values); if (values.Length != 1 || !values[0].CheckApplication(15) || !values[0].HasChildren()) { return(false); } values = values[0].Children; if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren()) { return(false); } foreach (var next in values[0].Children) { if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: if (next.ReadChildInteger() != 5) { return(false); } break; case 1: if ((KerberosMessageType)next.ReadChildInteger() != KerberosMessageType.KRB_AP_REP) { return(false); } break; case 2: if (!next.HasChildren()) { return(false); } ret.EncryptedPart = KerberosEncryptedData.Parse(next.Children[0]); break; default: return(false); } } token = ret; return(true); } catch (InvalidDataException) { return(false); } }
internal static KerberosEncryptedData Parse(DERValue value) { if (!value.CheckSequence()) { throw new InvalidDataException(); } KerberosEncryptedData ret = new KerberosEncryptedData(); foreach (var next in value.Children) { if (next.Type != DERTagType.ContextSpecific) { throw new InvalidDataException(); } switch (next.Tag) { case 0: ret.EncryptionType = (KerberosEncryptionType)next.ReadChildInteger(); break; case 1: ret.KeyVersion = next.ReadChildInteger(); break; case 2: ret.CipherText = next.ReadChildOctetString(); break; default: throw new InvalidDataException(); } } return(ret); }
internal static bool Parse(KerberosEncryptedData orig_data, byte[] decrypted, out KerberosEncryptedData ticket) { ticket = null; try { DERValue[] values = DERParser.ParseData(decrypted, 0); if (values.Length != 1) { return(false); } DERValue value = values[0]; if (!value.CheckApplication(27) || !value.HasChildren()) { return(false); } if (!value.Children[0].CheckSequence()) { return(false); } var ret = new KerberosAPReplyEncryptedPart(orig_data); foreach (var next in value.Children[0].Children) { if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: ret.ClientTime = next.ReadChildGeneralizedTime(); break; case 1: ret.ClientUSec = next.ReadChildInteger(); break; case 2: if (!next.HasChildren()) { return(false); } ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], string.Empty, new KerberosPrincipalName()); break; case 3: ret.SequenceNumber = next.ReadChildInteger(); break; default: return(false); } } ticket = ret; } catch (InvalidDataException) { return(false); } catch (EndOfStreamException) { return(false); } return(true); }
private protected KerberosAPRequestAuthenticationToken(byte[] data, DERValue[] values) : base(data, values) { ProtocolVersion = 5; MessageType = KRB_MSG_TYPE.KRB_AP_REQ; Ticket = new KerberosTicket(); Authenticator = new KerberosEncryptedData(); }
internal static KerberosTicket Parse(DERValue value) { if (!value.CheckApplication(1) || !value.HasChildren()) { throw new InvalidDataException(); } if (!value.Children[0].CheckSequence()) { throw new InvalidDataException(); } KerberosTicket ret = new KerberosTicket(); foreach (var next in value.Children[0].Children) { if (next.Type != DERTagType.ContextSpecific) { throw new InvalidDataException(); } switch (next.Tag) { case 0: if (next.ReadChildInteger() != 5) { throw new InvalidDataException(); } break; case 1: ret.Realm = next.ReadChildGeneralString(); break; case 2: if (!next.Children[0].CheckSequence()) { throw new InvalidDataException(); } ret.ServerName = KerberosPrincipalName.Parse(next.Children[0]); break; case 3: if (!next.HasChildren()) { throw new InvalidDataException(); } ret.EncryptedData = KerberosEncryptedData.Parse(next.Children[0]); break; default: throw new InvalidDataException(); } } return(ret); }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (!Ticket.Decrypt(tmp_keys, KerberosKeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KerberosKeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.Keys); if (!Ticket.Decrypt(tmp_keys, RC4KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, RC4KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (!Ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (ticket != null || authenticator != null) { var ret = (KerberosTGTReplyAuthenticationToken)MemberwiseClone(); ret.Ticket = ticket ?? ret.Ticket; return(ret); } return(base.Decrypt(keyset)); }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData encdata = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); List <KerberosTicket> dec_tickets = new List <KerberosTicket>(); bool decrypted_ticket = false; foreach (var ticket in Tickets) { if (ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket dec_ticket)) { dec_tickets.Add(dec_ticket); decrypted_ticket = true; } else { dec_tickets.Add(ticket); } } if (EncryptedPart.Decrypt(tmp_keys, string.Empty, new KerberosPrincipalName(), KeyUsage.KrbCred, out byte[] decrypted))
private KerberosAPReplyEncryptedPart(KerberosEncryptedData orig_data) : base(orig_data.EncryptionType, orig_data.KeyVersion, orig_data.CipherText) { }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData encrypted_part = null; KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (EncryptedPart.Decrypt(tmp_keyset, string.Empty, new KerberosPrincipalName(), KerberosKeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
private protected KerberosAPReplyAuthenticationToken(byte[] data, DERValue[] values) : base(data, values, KerberosMessageType.KRB_AP_REP) { EncryptedPart = new KerberosEncryptedData(); }
private protected KerberosAPRequestAuthenticationToken(byte[] data, DERValue[] values) : base(data, values, KerberosMessageType.KRB_AP_REQ) { Ticket = new KerberosTicket(new byte[0]); Authenticator = new KerberosEncryptedData(); }
internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket) { ticket = null; try { DERValue[] values = DERParser.ParseData(decrypted, 0); if (values.Length != 1) { return(false); } DERValue value = values[0]; if (!value.CheckApplication(2) || !value.HasChildren()) { return(false); } if (!value.Children[0].CheckSequence()) { return(false); } var ret = new KerberosAuthenticator(orig_data); foreach (var next in value.Children[0].Children) { if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: if (next.ReadChildInteger() != 5) { return(false); } break; case 1: ret.ClientRealm = next.ReadChildGeneralString(); break; case 2: if (!next.Children[0].CheckSequence()) { return(false); } ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]); break; case 3: if (!next.Children[0].CheckSequence()) { return(false); } ret.Checksum = KerberosChecksum.Parse(next.Children[0]); break; case 4: ret.ClientUSec = next.ReadChildInteger(); break; case 5: ret.ClientTime = next.ReadChildGeneralizedTime(); break; case 6: if (!next.HasChildren()) { return(false); } ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName); break; case 7: ret.SequenceNumber = next.ReadChildInteger(); break; case 8: if (!next.HasChildren()) { return(false); } ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]); break; default: return(false); } } if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null) { KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]); if (ret.SubKey != null) { tmp_keyset.Add(ret.SubKey); } gssapi.Decrypt(tmp_keyset); } ticket = ret; } catch (InvalidDataException) { return(false); } catch (EndOfStreamException) { return(false); } return(true); }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset) { KerberosEncryptedData encrypted_part = null; if (EncryptedPart.Decrypt(keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
private KerberosAuthenticator(KerberosEncryptedData orig_data) : base(orig_data.EncryptionType, orig_data.KeyVersion, orig_data.CipherText) { AuthenticatorVersion = 5; }
/// <summary> /// Try and parse data into an ASN1 authentication token. /// </summary> /// <param name="data">The data to parse.</param> /// <param name="token">The Negotiate authentication token.</param> /// <param name="values">Parsed DER Values.</param> internal static bool TryParse(byte[] data, DERValue[] values, out KerberosAuthenticationToken token) { token = null; try { var ret = new KerberosAPRequestAuthenticationToken(data, values); if (values.Length != 1 || !values[0].CheckApplication(14) || !values[0].HasChildren()) { return(false); } values = values[0].Children; if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren()) { return(false); } Queue <DERValue> queue = new Queue <DERValue>(values[0].Children); while (queue.Count > 0) { var next = queue.Dequeue(); if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: if (next.ReadChildInteger() != 5) { return(false); } break; case 1: if ((KRB_MSG_TYPE)next.ReadChildInteger() != KRB_MSG_TYPE.KRB_AP_REQ) { return(false); } break; case 2: if (!next.Children[0].CheckPrimitive(UniversalTag.BIT_STRING)) { return(false); } var bits = next.Children[0].ReadBitString(); var options = KerberosAPRequestOptions.None; if (bits[1]) { options |= KerberosAPRequestOptions.UseSessionKey; } if (bits[2]) { options |= KerberosAPRequestOptions.MutualAuthRequired; } ret.Options = options; break; case 3: if (!next.HasChildren()) { return(false); } ret.Ticket = KerberosTicket.Parse(next.Children[0]); break; case 4: if (!next.HasChildren()) { return(false); } ret.Authenticator = KerberosEncryptedData.Parse(next.Children[0]); break; default: return(false); } } token = ret; return(true); } catch (InvalidDataException) { return(false); } }