// 处理用户Client发送来的请求 ,并作出相关的处理
public void HandleApReq(KerbAPRequest kerbApRequest,out bool stvalid , out bool apResponse)
{
string errorInfo = string.Empty;
//STicket sticket = kerbApRequest.sticket;
string encryptSTicket = kerbApRequest.encrptSticket;
string sticket = desCrypt.Decrypt(encryptSTicket, KeyType.TGS_AP_Key, KeyType.Iv);
string[] ticketArray = sticket.Split('|');
string sIdentity = ticketArray[0];
DateTime ts4 = Convert.ToDateTime(ticketArray[1]);
double lifetime4 = Convert.ToDouble(ticketArray[2]);
string uid2 = ticketArray[3];
int adc = Convert.ToInt32(ticketArray[4]);
STicket sTicket = new STicket(uid2,sIdentity,ts4,adc,lifetime4);
Authenticator authen = kerbApRequest.authenticator;
if ((authen.adc != sTicket.Adc1) || (authen.uid != sTicket.Uid))
{
// 两者之间的认证标志不一样或者UID不一样的话 说明STicket被修改
stvalid = false;
apResponse = false;
errorInfo = "STikcet票据已经被修改";
}
stvalid = true; //票据是合法的
// 下面就是对权限的管理和控制
apResponse = true; // 允许Client访问服务。
}
/*
*
* TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密
*
* TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效;
* 有效的话,则直接产生STicket
* **/
public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse)
{
// out型参数可以不被初始化
string session_key_1 = kerbTgsRequest.session_key_1;
string encryptUid = kerbTgsRequest.encryptUid;
//TGTicket tgticket = kerbTgsRequest.tgticket;
string encrptTgsTicket = kerbTgsRequest.encyptgsTicket;
string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv);
string[] ticketArray = tgticket.Split('|');
string uid = ticketArray[0];
DateTime ts2 = Convert.ToDateTime(ticketArray[1]);
double lifetime2 = Convert.ToDouble(ticketArray[2]);
TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2);
string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv);
string errorInfo = string.Empty;
if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid)))
{
errorInfo = "TGS票据被修改,uid的值已经被改变";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse);
}
else if (IsTGTExpired(tgtTicket))
{
errorInfo = "TGS票据过期";
tgsvalid = false;
kerbTgsResponse = "";
HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求
}
else
{
// 下面就是TGS服务器向Client发送的 uid与STicket中的uid是一样的
STicket sticket = new STicket(uid);
string key1 = KeyType.Client_AP_Key; //Client与AP应用服务之间的会话密钥
string iv = KeyType.Iv; // Or "********"
string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4));
string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4));
string strBuilder3 = string.Concat(strBuilder2, "|", uid);
string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1));
string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv); //加密过后的STicket
// 下面实现一个时间戳验证
//DateTime ts4_1 = DateTime.Now;
//string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv);
// 主要是确保随机密钥的安全性:下面就是数字签名的流程
key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv);
//string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1);
string hashData = "";
rsaCrpt.GetHash(key1, ref hashData);
string rsasign = ""; //key1text的数字签名
rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign);
string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid); // AS向Client发回的响应
//kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign);
tgsvalid = true;
kerbTgsResponse = kerbTgsResp;
}
}
