public override KerberosKey CreateKey() { if (this.cacheKey == null) { lock (this._syncCache) { if (this.cacheKey == null) { var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, this.Domain, new[] { this.UserName }); EncryptionType?etype = GetPreferredEType( this.Configuration.Defaults.DefaultTicketEncTypes, this.Configuration.Defaults.AllowWeakCrypto ); string salt = null; if (this.Salts != null && this.Salts.Any()) { var etypePreferences = GetPreferredETypes( this.Configuration.Defaults.DefaultTicketEncTypes, this.Configuration.Defaults.AllowWeakCrypto ).ToArray(); var preferredEtypes = this.Salts.Select(s => s.Key).Intersect(etypePreferences).OrderBy(e => Array.IndexOf(etypePreferences, e)); if (!preferredEtypes.Any()) { throw new KerberosPolicyException(PaDataType.PA_ENC_TIMESTAMP); } var kv = this.Salts.First(s => s.Key == preferredEtypes.First()); etype = kv.Key; salt = kv.Value; } if (etype is null) { etype = GetPreferredETypes(allowWeakCrypto: this.Configuration.Defaults.AllowWeakCrypto).FirstOrDefault(); } if (etype is null) { throw new NotSupportedException("Cannot agree on EType"); } this.cacheKey = new KerberosKey( this.password, principalName: principalName, etype: etype.Value, saltType: SaltType.ActiveDirectoryUser, salt: salt ); } } } return(this.cacheKey); }
private KerberosKey( byte[] key, string password, byte[] passwordBytes = null, PrincipalName principalName = null, string host = null, string salt = null, byte[] saltBytes = null, EncryptionType etype = 0, SaltType saltFormat = SaltType.ActiveDirectoryService, byte[] iterationParams = null, int?kvno = null ) { this.key = key; this.Password = password; this.passwordBytes = passwordBytes; this.PrincipalName = principalName; this.Host = host; this.salt = salt; this.saltBytes = saltBytes; this.EncryptionType = etype; this.SaltFormat = saltFormat; this.IterationParameter = iterationParams; this.Version = kvno; }
public override KerberosKey CreateKey() { if (this.cacheKey == null) { lock (this._syncCache) { if (this.cacheKey == null) { var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, this.Domain, new[] { this.UserName }); var etype = EncryptionType.AES256_CTS_HMAC_SHA1_96; var salt = string.Empty; if (this.Salts != null && this.Salts.Any()) { var kv = this.Salts.ElementAt(0); etype = kv.Key; salt = kv.Value; } this.cacheKey = new KerberosKey( this.password, principalName: principalName, etype: etype, saltType: SaltType.ActiveDirectoryUser, salt: salt ); } } } return(this.cacheKey); }
//private void LoadEmployees(IUserData db) //{ // _DirectReports = _Users.Where(u => u.Manager.PrincipalName == PrincipalName).Where(u => u.Id != Id); //} public IEnumerable <ValidationResult> Validate(ValidationContext validationContext) { if (_Users != null && _Users.Where(u => u.PrincipalName.Trim().Equals(PrincipalName.Trim(), StringComparison.Ordinal)).Where(u => u.Id != Id).Count() > 0) { yield return(new ValidationResult("Principal name is used.")); } }
private KerberosKey(byte[] key, string password, PrincipalName principalName = null, string host = null) { this.key = key; this.password = password; this.principalName = principalName; this.host = host; }
public override KerberosKey CreateKey() { if (cacheKey == null) { lock (_syncCache) { if (cacheKey == null) { var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Domain, new[] { UserName }); var etype = EncryptionType.AES256_CTS_HMAC_SHA1_96; var salt = ""; if (Salts != null && Salts.Count() > 0) { var kv = Salts.ElementAt(0); etype = kv.Key; salt = kv.Value; } cacheKey = new KerberosKey( password, principalName: principalName, etype: etype, saltType: SaltType.ActiveDirectoryUser, salt: salt ); } } } return(cacheKey); }
private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null) { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator"); Random r = new Random(); int seqNum = r.Next(); Authenticator plaintextAuthenticator = new Authenticator { authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5), crealm = realm, cusec = new Microseconds(0), ctime = KerberosUtility.CurrentKerberosTime, seq_number = new KerbUInt32(seqNum), cname = cname, subkey = subkey, authorization_data = data }; AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH }; checksum.Bnd = new byte[checksum.Lgth]; checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG); byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth), checksum.Bnd, BitConverter.GetBytes(checksum.Flags)); plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData)); return(plaintextAuthenticator); }
internal object ToParam() { return(new { account = ObjectName.ToUpper(), principal = PrincipalName.ToUpper(), }); }
private KerberosAuthenticator CreateAuthenticator() { // This could be done with DI and a factory pattern, but we're keeping it simple here. var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Options.Domain, new[] { Options.UserName }); var key = new KerberosKey(Options.Password, principalName, Options.Password); var validator = new KerberosValidator(key); var authenticator = new KerberosAuthenticator(validator); return(authenticator); }
public KerberosKey( string password, PrincipalName principalName = null, string host = null, string salt = null, EncryptionType etype = 0, SaltType saltType = SaltType.ActiveDirectoryService, byte[] iterationParams = null ) : this(null, password, null, principalName, host, salt, etype, saltType, iterationParams) { }
public override int GetHashCode() { unchecked { var hashCode = PrincipalName != null?PrincipalName.GetHashCode() : 0; hashCode = (hashCode * 397) ^ (PrincipalType != null ? PrincipalType.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (RightName != null ? RightName.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (AceType != null ? AceType.GetHashCode() : 0); return(hashCode); } }
private static void WritePrincipal(PrincipalName principal, NdrBuffer buffer) { buffer.WriteInt32BigEndian((int)principal.NameType); buffer.WriteInt32BigEndian(principal.Names.Count); WriteData(Encoding.UTF8.GetBytes(principal.Realm), buffer); foreach (var name in principal.Names) { WriteData(Encoding.UTF8.GetBytes(name), buffer); } }
public KrbFastFinished( KerberosTime param0, Microseconds param1, Realm param2, PrincipalName param3, Checksum param4) { this.timestamp = param0; this.usec = param1; this.crealm = param2; this.cname = param3; this.ticket_checksum = param4; }
public KerberosKey( byte[] key = null, byte[] password = null, PrincipalName principal = null, string host = null, string salt = null, EncryptionType etype = 0, SaltType saltType = SaltType.ActiveDirectoryService, byte[] iterationParams = null, int?kvno = null ) : this(key, null, password, principal, host, salt, etype, saltType, iterationParams, kvno) { }
private static KerberosKey CreateKey() { var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.COM", new[] { "testuser" }); var host = string.Empty; var key = new KerberosKey( "P@ssw0rd!", principalName: principalName, host: host, saltType: SaltType.ActiveDirectoryUser, etype: EncryptionType.AES256_CTS_HMAC_SHA1_96 ); return(key); }
/// <summary> /// Create authenticator for AP request or part of PA-DATA for TGS request. /// </summary> /// <param name="cRealm">This field contains the name of the realm in which the client is registered and in /// which initial authentication took place.</param> /// <param name="cName">This field contains the name part of the client's principal identifier.</param> /// <param name="checksumType">The checksum type selected.</param> /// <param name="seqNumber">The current local sequence number.</param> /// <param name="flag">The flag set in checksum field of Authenticator.</param> /// <param name="subkey">Specify the new subkey used in the following exchange. This field is optional. /// This argument can be got with method GenerateKey(ApSessionKey). /// This argument can be null. If this argument is null, no subkey will be sent.</param> /// <param name="authorizationData">The authentication data of authenticator. This field is optional. /// This argument can be generated by method ConstructAuthorizationData. This argument can be null. /// If this argument is null, no Authorization Data will be sent.</param> /// <param name="key">The key to do checksum.</param> /// <param name="checksumBody">The data to compute checksum.</param> /// <returns>The created authenticator.</returns> private Authenticator CreateAuthenticator(Realm cRealm, PrincipalName cName, ChecksumType checksumType, int seqNumber, ChecksumFlags flag, EncryptionKey subkey, AuthorizationData authorizationData, EncryptionKey key, byte[] checksumBody) { Authenticator plaintextAuthenticator = new Authenticator(); plaintextAuthenticator.authenticator_vno = new Asn1Integer(ConstValue.KERBEROSV5); plaintextAuthenticator.crealm = cRealm; plaintextAuthenticator.cname = cName; plaintextAuthenticator.cusec = new Microseconds(0); plaintextAuthenticator.ctime = KileUtility.CurrentKerberosTime; plaintextAuthenticator.seq_number = new KerbUInt32(seqNumber); plaintextAuthenticator.subkey = subkey; plaintextAuthenticator.authorization_data = authorizationData; if (checksumType == ChecksumType.ap_authenticator_8003) { // compute the checksum AuthCheckSum checksum = new AuthCheckSum(); checksum.Lgth = ConstValue.AUTHENTICATOR_CHECKSUM_LENGTH; checksum.Bnd = new byte[checksum.Lgth]; checksum.Flags = (int)flag; byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth), checksum.Bnd, BitConverter.GetBytes(checksum.Flags)); // in AP request plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData)); } else { // in TGS PA data byte[] checkData = KileUtility.GetChecksum( key.keyvalue.ByteArrayValue, checksumBody, (int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum, checksumType); plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData)); } return(plaintextAuthenticator); }
public override KerberosKey CreateKey() { var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Domain, new[] { UserName }); Byte[] hashbytes = Utils.ToHexByteArray(this.hash); var salt = ""; return(new KerberosKey( hashbytes, null, principalName, etype: this.etype, saltType: SaltType.ActiveDirectoryUser, salt: salt )); }
public KileTgsRequest CreateTgsRequest(string sName, KDCOptions kdcOptions, Asn1SequenceOf <PA_DATA> paData, ChecksumType checksumType, Ticket additionalTicket, AuthorizationData authorizationData) { if (sName == null) { throw new ArgumentNullException(nameof(sName)); } var sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/'))); return(CreateTgsRequest(sname, kdcOptions, new KerbUInt32((uint)Math.Abs((uint)DateTime.Now.Ticks)), context.UserRealm, paData, checksumType, additionalTicket, authorizationData)); }
public KerberosKey( string password, PrincipalName principalName = null, string host = null, string salt = null, EncryptionType etype = 0, SaltType saltType = SaltType.ActiveDirectoryService, byte[] iterationParams = null, int?kvno = null ) : this(null, password, null, principalName, host, salt, etype, saltType, iterationParams, kvno) { if (string.IsNullOrWhiteSpace(password)) { throw new ArgumentNullException(nameof(password)); } }
public KerberosKey( byte[] key = null, byte[] password = null, PrincipalName principal = null, string host = null, string salt = null, EncryptionType etype = 0, SaltType saltType = SaltType.ActiveDirectoryService, byte[] iterationParams = null, int?kvno = null ) : this(key, null, password, principal, host, salt, etype, saltType, iterationParams, kvno) { if (key == null && password == null) { throw new ArgumentException("Either a key or password must be provided"); } }
public KileTgsRequest CreateTgsRequest(string sName, KRBFlags kdcOptions, KerbUInt32 nonce, Asn1SequenceOf <PA_DATA> paData, ChecksumType checksumType, Ticket additionalTicket, AuthorizationData authorizationData) { if (sName == null) { throw new ArgumentNullException("sName"); } PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KileUtility.String2SeqKerbString(sName.Split('/'))); return(CreateTgsRequest(context.UserRealm, context.UserName, sname, kdcOptions, nonce, context.UserRealm, paData, checksumType, additionalTicket, authorizationData)); }
/// <summary> /// Construct PA_TGS_REQ for TGS request. /// </summary> /// <param name="cRealm">This field contains the name of the realm in which the client is registered and in /// which initial authentication took place.</param> /// <param name="cName">This field contains the name part of the client's principal identifier.</param> /// <param name="checksumType">The checksum type in Authenticator.</param> /// <param name="checksumBody">The data to compute checksum.</param> /// <returns>The constructed PaData.</returns> private PA_DATA ConstructTgsPaData(Realm cRealm, PrincipalName cName, ChecksumType checksumType, byte[] checksumBody) { AP_REQ request = new AP_REQ(); KerbAuthDataTokenRestrictions adRestriction = ConstructKerbAuthDataTokenRestrictions(0, (uint)LSAP_TOKEN_INFO_INTEGRITY_Flags.FULL_TOKEN, (uint)LSAP_TOKEN_INFO_INTEGRITY_TokenIL.Medium, new Guid().ToString()); AuthorizationData authData = ConstructAuthorizationData(adRestriction); // create and encrypt authenticator Authenticator authenticator = CreateAuthenticator(cRealm, cName, checksumType, 0, 0, null, authData, context.TgsSessionKey, checksumBody); Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer(); authenticator.BerEncode(asnBuffPlainAuthenticator, true); byte[] encAsnEncodedAuth = KileUtility.Encrypt((EncryptionType)context.TgsSessionKey.keytype.Value, context.TgsSessionKey.keyvalue.ByteArrayValue, asnBuffPlainAuthenticator.Data, (int)KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator); request.authenticator = new EncryptedData(); request.authenticator.etype = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32(context.TgsSessionKey.keytype.Value); request.authenticator.cipher = new Asn1OctetString(encAsnEncodedAuth); // create AP request request.ap_options = new APOptions(KileUtility.ConvertInt2Flags((int)ApOptions.None)); request.msg_type = new Asn1Integer((int)MsgType.KRB_AP_REQ); request.pvno = new Asn1Integer(ConstValue.KERBEROSV5); request.ticket = context.TgsTicket; Asn1BerEncodingBuffer apBerBuffer = new Asn1BerEncodingBuffer(); request.BerEncode(apBerBuffer, true); return(new PA_DATA(new KerbInt32((int)PaDataType.PA_TGS_REQ), new Asn1OctetString(apBerBuffer.Data))); }