public EncTicketPart(
TicketFlags param0,
EncryptionKey param1,
Realm param2,
PrincipalName param3,
TransitedEncoding param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
HostAddresses param9,
AuthorizationData param10)
{
this.flags = param0;
this.key = param1;
this.crealm = param2;
this.cname = param3;
this.transited = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.caddr = param9;
this.authorization_data = param10;
}
/// <summary>
/// Construct a Kerberos test client for FAST
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
public KerberosFunctionalClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt omiPkt, ITestSite baseTestSite)
: base(domain, cName, password, accountType, armorTicket, armorSessionKey, kdcAddress, kdcPort, transportType, omiPkt)
{
testSite = baseTestSite;
if (accountType == KerberosAccountType.Device)
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using computer account: {0}@{1}.",
cName, domain);
}
else
{
testSite.Log.Add(LogEntryKind.Debug, "Construct Kerberos client using user account: {0}@{1}.",
cName, domain);
}
EncryptionType[] encryptionTypes = new EncryptionType[]
{
EncryptionType.AES256_CTS_HMAC_SHA1_96,
EncryptionType.AES128_CTS_HMAC_SHA1_96,
EncryptionType.RC4_HMAC,
EncryptionType.RC4_HMAC_EXP,
EncryptionType.DES_CBC_CRC,
EncryptionType.DES_CBC_MD5
};
KerbInt32[] etypes = new KerbInt32[encryptionTypes.Length];
for (int i = 0; i < encryptionTypes.Length; i++)
{
etypes[i] = new KerbInt32((int)encryptionTypes[i]);
}
Asn1SequenceOf<KerbInt32> etype = new Asn1SequenceOf<KerbInt32>(etypes);
Context.SupportedEType = etype;
Context.Pvno = KerberosConstValue.KERBEROSV5;
}
public EncASRepPart(
EncryptionKey param0,
LastReq param1,
KerbUInt32 param2,
KerberosTime param3,
TicketFlags param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
Realm param9,
PrincipalName param10,
HostAddresses param11,
Asn1SequenceOf<PA_DATA> param12)
{
this.key = param0;
this.last_req = param1;
this.nonce = param2;
this.key_expiration = param3;
this.flags = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.srealm = param9;
this.sname = param10;
this.caddr = param11;
this.pa_datas = param12;
}
public KrbCredInfo(
EncryptionKey param0,
Realm param1,
PrincipalName param2,
TicketFlags param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
Realm param8,
PrincipalName param9,
HostAddresses param10)
{
this.key = param0;
this.prealm = param1;
this.pname = param2;
this.flags = param3;
this.authtime = param4;
this.starttime = param5;
this.endtime = param6;
this.renew_till = param7;
this.srealm = param8;
this.sname = param9;
this.caddr = param10;
}
/// <summary>
/// Create context
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="cName">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="accountType">Accoundtype, user or device</param>
/// <param name="armorTicket">Computer TGT as armor ticket</param>
/// <param name="armorSessionKey">Computer TGS session key as armor session key</param>
public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt, KerberosTicket armorTicket, EncryptionKey armorSessionKey)
: this(domain, cName, password, accountType, salt)
{
this.ArmorTicket = armorTicket;
this.ArmorSessionKey = armorSessionKey;
this.SelectedEType = (EncryptionType)this.ArmorTicket.SessionKey.keytype.Value;
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
{
TransportBufferSize = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
this.Context = new KerberosContext(domain, cName, password, accountType, salt, armorTicket, armorSessionKey);
this.kdcAddress = kdcAddress;
this.kdcPort = kdcPort;
this.transportType = transportType;
this.oidPkt = oidPkt;
this.Context.TransportType = transportType;
}
public KrbFastResponse(
Asn1SequenceOf<PA_DATA> param0,
EncryptionKey param1,
KrbFastFinished param2,
KerbUInt32 param3)
{
this.padata = param0;
this.strengthen_key = param1;
this.finished = param2;
this.nonce = param3;
}
public EncAPRepPart(
KerberosTime param0,
Microseconds param1,
EncryptionKey param2,
KerbUInt32 param3)
{
this.ctime = param0;
this.cusec = param1;
this.subkey = param2;
this.seq_number = param3;
}
public Authenticator(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
Checksum param3,
Microseconds param4,
KerberosTime param5,
EncryptionKey param6,
KerbUInt32 param7,
AuthorizationData param8)
{
this.authenticator_vno = param0;
this.crealm = param1;
this.cname = param2;
this.cksum = param3;
this.cusec = param4;
this.ctime = param5;
this.subkey = param6;
this.seq_number = param7;
this.authorization_data = param8;
}
/// <summary>
/// Decrypt the KRB-PRIV
/// </summary>
/// <param name="subkey">the subkey used to decrypt</param>
public void DecryptKrbPriv(EncryptionKey subkey)
{
byte[] priv = KerberosUtility.Decrypt(
(EncryptionType)subkey.keytype.Value,
subkey.keyvalue.ByteArrayValue,
krb_priv.enc_part.cipher.ByteArrayValue,
(int)KeyUsageNumber.KRB_PRIV_EncPart);
Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(priv);
priv_enc_part.BerDecode(decodeBuffer);
}
private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subKey, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subKey);
byte[] checkData = KerberosUtility.GetChecksum(ticket.SessionKey.keyvalue.ByteArrayValue, checksumBody, (int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum, checksumType);
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
return(plaintextAuthenticator);
}
private Authenticator CreateAuthenticator(
KerberosTicket ticket,
AuthorizationData data,
EncryptionKey subkey
)
{
Authenticator plaintextAuthenticator = new Authenticator();
plaintextAuthenticator.authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5);
plaintextAuthenticator.crealm = Context.CName.Realm;
plaintextAuthenticator.cusec = new Microseconds(0);
plaintextAuthenticator.ctime = KerberosUtility.CurrentKerberosTime;
plaintextAuthenticator.seq_number = new KerbUInt32(0);
plaintextAuthenticator.cname = ticket.TicketOwner;
plaintextAuthenticator.subkey = subkey;
plaintextAuthenticator.authorization_data = data;
return plaintextAuthenticator;
}
/// <summary>
/// Create a Kerberos ticket
/// </summary>
/// <param name="ticket">Ticket</param>
/// <param name="ticketOwner">Owner of ticket</param>
/// <param name="sessionKey">Session key in ticket</param>
public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
{
this.Ticket = ticket;
this.TicketOwner = ticketOwner;
this.SessionKey = sessionKey;
}
/// <summary>
/// Create a Kerberos ticket
/// </summary>
/// <param name="ticket">Ticket</param>
/// <param name="ticketOwner">Owner of ticket</param>
/// <param name="sessionKey">Session key in ticket</param>
public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
{
this.Ticket = ticket;
this.TicketOwner = ticketOwner;
this.SessionKey = sessionKey;
}
private static EncryptionKey GetArmorKey(EncryptionKey sessionKey, EncryptionKey subKey, EncryptionKey explicitSubkey = null)
{
EncryptionKey armorKey;
if (explicitSubkey != null)
{
armorKey = KerberosUtility.KrbFxCf2(explicitSubkey, sessionKey, "subkeyarmor", "ticketarmor");
armorKey = KerberosUtility.KrbFxCf2(armorKey, subKey, "explicitarmor", "tgsarmor");
}
else
{
armorKey = KerberosUtility.KrbFxCf2(subKey, sessionKey, "subkeyarmor", "ticketarmor");
}
return armorKey;
}
private EncTicketPart RetrieveAndDecryptServiceTicket(KerberosFunctionalClient kerberosClient, out EncryptionKey serviceKey)
{
//Create and send AS request
const KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
kerberosClient.SendAsRequest(options, null);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects Kerberos Error from KDC");
//Receive preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = kerberosClient.ExpectPreauthRequiredError(out methodData);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends AS request with PA-DATA set");
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
kerberosClient.Context.SelectedEType,
kerberosClient.Context.CName.Password,
kerberosClient.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
kerberosClient.SendAsRequest(options, seqOfPaData);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects AS response from KDC");
KerberosAsResponse asResponse = kerberosClient.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "AS response should contain a TGT.");
//Create and send TGS request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client sends TGS request to KDC");
kerberosClient.SendTgsRequest(servicePrincipalName, options);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Kerberos Functional Client expects TGS response from KDC");
KerberosTgsResponse tgsResponse = kerberosClient.ExpectTgsResponse();
BaseTestSite.Assert.AreEqual(servicePrincipalName,
KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
"Service principal name in service ticket should match expected.");
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Decrypt SMB2 Service Ticket");
serviceKey = keyManager.QueryKey(servicePrincipalName, TestConfig.DomainName, kerberosClient.Context.SelectedEType);
tgsResponse.DecryptTicket(serviceKey);
return tgsResponse.TicketEncPart;
}
/// <summary>
/// Create and send FAST AS request
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
public void SendAsRequestWithFastHideCName(
KdcOptions kdcOptions,
string cName,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null)
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator");
Random r = new Random();
int seqNum = r.Next();
Authenticator plaintextAuthenticator = new Authenticator
{
authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5),
crealm = realm,
cusec = new Microseconds(0),
ctime = KerberosUtility.CurrentKerberosTime,
seq_number = new KerbUInt32(seqNum),
cname = cname,
subkey = subkey,
authorization_data = data
};
AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH };
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return plaintextAuthenticator;
}
private EncryptedData EncryptTicket(EncTicketPart encTicketPart, EncryptionKey serviceKey)
{
Asn1BerEncodingBuffer encodeBuffer = new Asn1BerEncodingBuffer();
encTicketPart.BerEncode(encodeBuffer, true);
byte[] encData = KerberosUtility.Encrypt(
(EncryptionType)serviceKey.keytype.Value,
serviceKey.keyvalue.ByteArrayValue,
encodeBuffer.Data,
(int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket);
return new EncryptedData(
new KerbInt32(serviceKey.keytype.Value),
null,
new Asn1OctetString(encData));
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
this.ApRequestAuthenticator = authenticator;
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
this.client.UpdateContext(request);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
return(request.ToBytes());
}
else
{
return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
}
}
public KerberosFastResponse(Asn1SequenceOf<PA_DATA> seqPaData, EncryptionKey strengthenKey, KrbFastFinished finished, long nouce)
{
this.FastResponse = new KrbFastResponse(seqPaData, strengthenKey, finished, new KerbUInt32(nouce));
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subKey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subKey, checksumType, checksumBody);
KerberosApRequest apRequest = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return(apRequest);
}
public PaFxFastReq CreateTgsPaFxFast(
EncryptionKey armorKey,
KerberosTicket armorTicket,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
byte[] apReq,
IFastArmor armor = null
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
//Generate checksum
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey.keyvalue.ByteArrayValue,
apReq,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
/// <summary>
/// Kerberos Client Initialize without server token
/// </summary>
private void ClientInitialize()
{
this.ApRequestAuthenticator = null;
// Create and send AS request for pre-authentication
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
KerberosTicket ticket = this.GetTGTCachedToken(this.credential, this.serverName);
if (ticket == null)
{
this.SendAsRequest(options, null);
// Expect recieve preauthentication required error
METHOD_DATA methodData;
this.ExpectPreauthRequiredError(out methodData);
// Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.Context.SelectedEType,
this.Context.CName.Password,
this.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
PaPacOptions paPacOptions = new PaPacOptions(PacOptions.Claims | PacOptions.ForwardToFullDc);
Asn1SequenceOf <PA_DATA> seqOfPaData_AS = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, paPacOptions.Data });
// Create and send AS request for TGT
KerberosAsRequest asRequest = this.SendAsRequest(options, seqOfPaData_AS);
// Expect TGT(AS) Response from KDC
KerberosAsResponse asResponse = this.ExpectAsResponse();
// Create and send TGS request
Asn1SequenceOf <PA_DATA> seqOfPaData_TGS = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paPacRequest.Data, paPacOptions.Data });
this.SendTgsRequest(this.serverName, options, seqOfPaData_TGS);
// Expect TGS Response from KDC
KerberosTgsResponse tgsResponse = this.ExpectTgsResponse();
this.UpdateTGTCachedToken(this.Context.Ticket);
}
else
{
// Restore SessionKey and Ticket from cache
this.Context.SessionKey = ticket.SessionKey;
this.Context.ApSessionKey = ticket.SessionKey;
this.Context.Ticket = ticket;
this.Context.SelectedEType = (EncryptionType)Context.Ticket.Ticket.enc_part.etype.Value;
}
// cache this.Context.Ticket;
ApOptions apOption;
GetFlagsByContextAttribute(out apOption);
AuthorizationData data = null;
EncryptionKey subkey = KerberosUtility.GenerateKey(this.client.Context.ContextKey);
this.token = this.CreateGssApiToken(apOption,
data,
subkey,
this.Context.ChecksumFlag,
KerberosConstValue.GSSToken.GSSAPI);
bool isMutualAuth = (contextAttribute & ClientSecurityContextAttribute.MutualAuth)
== ClientSecurityContextAttribute.MutualAuth;
bool isDceStyle = (contextAttribute & ClientSecurityContextAttribute.DceStyle)
== ClientSecurityContextAttribute.DceStyle;
if (isMutualAuth || isDceStyle)
{
this.needContinueProcessing = true;
}
else
{
this.needContinueProcessing = false;
}
}
/// <summary>
/// Create and send FAST AS request with an unknown armor type
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="armorType">armorType</param>
public void SendAsRequestWithFast(
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
KrbFastArmorType armorType
)
{
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
public KerberosFastResponse GetKerberosFastRep(EncryptionKey key)
{
var armoredRep = GetArmoredRep();
var decrypted = KerberosUtility.Decrypt((EncryptionType)key.keytype.Value ,
key.keyvalue.ByteArrayValue,
armoredRep.enc_fast_rep.cipher.ByteArrayValue,
(int)KeyUsageNumber.FAST_REP
);
KerberosUtility.OnDumpMessage("KRB5:KrbFastArmoredRep(enc-fast-req)",
"An encrypted KrbFastRep in PA_FX_FAST_REPLY",
KerberosUtility.DumpLevel.PartialMessage,
decrypted);
KrbFastResponse fastrep = new KrbFastResponse();
fastrep.BerDecode(new Asn1DecodingBuffer(decrypted));
return new KerberosFastResponse(fastrep);
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithExplicitFast(
string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
AuthorizationData data = null)
{
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
//Create PA-TGS-REQ
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
//Create explicit FAST armor
EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
Context.SelectedEType,
"Password04!",
"This is a salt");
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);
//Create armor key
var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
Context.FastArmorkey = armorKey;
//Create PA-FX-FAST
var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
var keyvalue = KeyGenerator.KrbFxCf2(
(EncryptionType)armorKey.keytype.Value,
armorKey.keyvalue.ByteArrayValue,
userLongTermKey.keyvalue.ByteArrayValue,
"clientchallengearmor",
"challengelongterm");
switch (type)
{
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
case EncryptionType.RC4_HMAC:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
default:
throw new ArgumentException("Unsupported encryption type.");
}
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);
EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
null,
new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
encryptedChallenge.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithFastHideCName(
string sName,
PrincipalName cName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions,
AuthorizationData data = null)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
kdcReqBody.cname = cName;
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
var armorKey = GetArmorKey(Context.SessionKey, subKey);
var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
Context.FastArmorkey = armorKey;
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
public static EncryptionKey MakeKey(EncryptionType type, string password, string salt)
{
EncryptionKey key = new EncryptionKey(new KerbInt32((long)type), new Asn1OctetString(KeyGenerator.MakeKey(type, password, salt)));
return(key);
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subkey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subkey, checksumType, checksumBody);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return apReq;
}
/// <summary>
/// Generate a GCC AP token for the given account and SPN.
/// </summary>
/// <param name="kdcIpAddr">KDC IP address</param>
/// <param name="account">Account Name.</param>
/// <param name="pwd">Password of the account.</param>
/// <param name="domain">Domain name.</param>
/// <param name="spn">SPN</param>
/// <param name="aType">Account type</param>
/// <returns>Token</returns>
public static byte[] GenerateGssApToken(string kdcIpAddr, string account, string pwd, string domain, string spn, KerberosAccountType aType)
{
KerberosTestClient client = new KerberosTestClient(
domain,
account,
pwd,
KerberosAccountType.User,
kdcIpAddr,
88,
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.TransportType.TCP,
(KerberosConstValue.OidPkt)Enum.Parse(typeof(KerberosConstValue.OidPkt), "MSKerberosToken"));
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE | KdcOptions.OK_AS_DELEGATE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaEncTimeStamp paEncTimeStamp = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaEncTimeStamp(timeStamp, 0, client.Context.SelectedEType, client.Context.CName.Password, client.Context.CName.Salt);
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaPacRequest paPacRequest = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PaPacRequest(true);
Microsoft.Protocols.TestTools.StackSdk.Asn1.Asn1SequenceOf <PA_DATA> seqOfPaData = new Microsoft.Protocols.TestTools.StackSdk.Asn1.Asn1SequenceOf <PA_DATA>(new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data });
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
//Create and send TGS request
client.SendTgsRequest(spn, options);
KerberosTgsResponse refTgsResponse = client.ExpectTgsResponse();
// client.ChangeRealm(childDomain, childDcIp, 88, Microsoft.Protocols.TestTools.StackSdk.Security.Kerberos.TransportType.TCP);
// client.SendTgsRequest(spn, options);
// KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.AuthorizationData data = null;
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.EncryptionKey subkey = Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosUtility.GenerateKey(client.Context.SessionKey);
byte[] token = client.CreateGssApiToken(Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.ApOptions.None,
data,
subkey,
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.ChecksumFlags.None,
KerberosConstValue.GSSToken.GSSAPI
);
return(token);
}
private Authenticator CreateAuthenticator(
KerberosTicket ticket,
AuthorizationData data,
EncryptionKey subkey,
ChecksumType checksumType,
byte[] checksumBody
)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);
byte[] checkData = KerberosUtility.GetChecksum(ticket.SessionKey.keyvalue.ByteArrayValue,
checksumBody, (int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum, checksumType);
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
return plaintextAuthenticator;
}
/// <summary>
/// Create authenticator for ChecksumType.ap_authenticator_8003
/// </summary>
private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlag)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)checksumFlag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return(plaintextAuthenticator);
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, IPAddress kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
{
TransportBufferSize = KerberosConstValue.TRANSPORT_BUFFER_SIZE;
this.Context = new KerberosContext(domain, cName, password, accountType, salt, armorTicket, armorSessionKey, KerberosContextType.Client);
this.kdcAddress = kdcAddress;
this.kdcPort = kdcPort;
this.transportType = transportType;
this.oidPkt = oidPkt;
this.Context.TransportType = transportType;
}
/// <summary>
/// Create a KileClient instance.
/// </summary>
/// <param name="domain">The realm part of the client's principal identifier.
/// This argument cannot be null.</param>
/// <param name="cName">The account to logon the remote machine. Either user account or computer account
/// This argument cannot be null.</param>
/// <param name="password">The password of the user. This argument cannot be null.</param>
/// <param name="accountType">The type of the logon account. User or Computer</param>
/// <param name="kdcAddress">The IP address of the KDC.</param>
/// <param name="kdcPort">The port of the KDC.</param>
/// <param name="transportType">Whether the transport is TCP or UDP transport.</param>
/// <exception cref="System.ArgumentNullException">Thrown when the input parameter is null.</exception>
public KerberosClient(string domain, string cName, string password, KerberosAccountType accountType, KerberosTicket armorTicket, EncryptionKey armorSessionKey, string kdcAddress, int kdcPort, TransportType transportType, KerberosConstValue.OidPkt oidPkt = KerberosConstValue.OidPkt.KerberosToken, string salt = null)
: this(domain, cName, password, accountType, armorTicket, armorSessionKey, IPAddress.Parse(kdcAddress), kdcPort, transportType, oidPkt, salt)
{
}
public PaFxFastReq CreateAsPaFxFast(
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
KDC_REQ_BODY kdcReqBody,
KrbFastArmorType armorType
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
var armorKey = KerberosUtility.MakeArmorKey(
Context.SelectedEType,
subKey.keyvalue.ByteArrayValue,
Context.ArmorSessionKey.keyvalue.ByteArrayValue);
Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey));
Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(encodebuf);
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey,
encodebuf.Data,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request);
fastArmor.armorType = armorType;
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
public byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags,
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
return KerberosUtility.AddGssApiTokenHeader(request, this.oidPkt, gssToken);
}
/// <summary>
/// Create context
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="cName">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="accountType">Accoundtype, user or device</param>
/// <param name="armorTicket">Computer TGT as armor ticket</param>
/// <param name="armorSessionKey">Computer TGS session key as armor session key</param>
public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt, KerberosTicket armorTicket, EncryptionKey armorSessionKey)
: this(domain, cName, password, accountType, salt)
{
this.ArmorTicket = armorTicket;
this.ArmorSessionKey = armorSessionKey;
this.SelectedEType = (EncryptionType)this.ArmorTicket.SessionKey.keytype.Value;
}
private Authenticator CreateAuthenticator(KerberosTicket ticket, AuthorizationData data, EncryptionKey subkey)
{
Authenticator plaintextAuthenticator = new Authenticator();
plaintextAuthenticator.authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5);
plaintextAuthenticator.crealm = this.Context.CName.Realm;
plaintextAuthenticator.cusec = new Microseconds(DateTime.UtcNow.Millisecond);
plaintextAuthenticator.ctime = KerberosUtility.CurrentKerberosTime;
plaintextAuthenticator.seq_number = new KerbUInt32(0);
plaintextAuthenticator.cname = ticket.TicketOwner;
plaintextAuthenticator.subkey = subkey;
plaintextAuthenticator.authorization_data = data;
return(plaintextAuthenticator);
}
public void DecryptTicket(EncryptionKey key)
{
DecryptTicket((EncryptionType)key.keytype.Value, key.keyvalue.ByteArrayValue);
}
/// <summary>
/// Create authenticator for ChecksumType.ap_authenticator_8003
/// </summary>
private Authenticator CreateAuthenticator(
KerberosTicket ticket,
AuthorizationData data,
EncryptionKey subkey,
ChecksumFlags checksumFlag
)
{
Authenticator plaintextAuthenticator = CreateAuthenticator(ticket, data, subkey);
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)checksumFlag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return plaintextAuthenticator;
}
