public bool Authen(string uid) { // 用户发送TGS请求的条件 : // 【TGTicket存在】 if (!string.IsNullOrEmpty(uid)) { this.kerbTgsReq = CreateKerbTGSReq(uid); this.kerbApReq = CreateKerbApReq(); if (VisitApp()) //访问 { return true; } } return false; }
/* * * TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密 * * TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效; * 有效的话,则直接产生STicket * **/ public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse) { // out型参数可以不被初始化 string session_key_1 = kerbTgsRequest.session_key_1; string encryptUid = kerbTgsRequest.encryptUid; //TGTicket tgticket = kerbTgsRequest.tgticket; string encrptTgsTicket = kerbTgsRequest.encyptgsTicket; string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv); string[] ticketArray = tgticket.Split('|'); string uid = ticketArray[0]; DateTime ts2 = Convert.ToDateTime(ticketArray[1]); double lifetime2 = Convert.ToDouble(ticketArray[2]); TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2); string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv); string errorInfo = string.Empty; if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid))) { errorInfo = "TGS票据被修改,uid的值已经被改变"; tgsvalid = false; kerbTgsResponse = ""; HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); } else if (IsTGTExpired(tgtTicket)) { errorInfo = "TGS票据过期"; tgsvalid = false; kerbTgsResponse = ""; HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求 } else { // 下面就是TGS服务器向Client发送的 uid与STicket中的uid是一样的 STicket sticket = new STicket(uid); string key1 = KeyType.Client_AP_Key; //Client与AP应用服务之间的会话密钥 string iv = KeyType.Iv; // Or "********" string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4)); string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4)); string strBuilder3 = string.Concat(strBuilder2, "|", uid); string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1)); string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv); //加密过后的STicket // 下面实现一个时间戳验证 //DateTime ts4_1 = DateTime.Now; //string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv); // 主要是确保随机密钥的安全性:下面就是数字签名的流程 key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv); //string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1); string hashData = ""; rsaCrpt.GetHash(key1, ref hashData); string rsasign = ""; //key1text的数字签名 rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign); string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid); // AS向Client发回的响应 //kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign); tgsvalid = true; kerbTgsResponse = kerbTgsResp; } }
//产生KerbTGSRequest请求 /** 还有一种解决对象和字符串的方法就是: * 直接将对象转换成JSON类型 或者直接用:对象的序列化 * */ public KerbTGSRequest CreateKerbTGSReq(string ADMIN_UID) { this.Uid = ADMIN_UID; //这里进行初始化 string[] strArray0 = kerbAsResponse.Split(','); string rsasign = strArray0[1]; //string decryptKerbAsResp = desCryp.Decrypt(kerbAsResponse, KeyType.AS_Client_Key, KeyType.Iv); //没有添加数字签名前的解密操作 string decryptKerbAsResp = desCryp.Decrypt(strArray0[0], KeyType.AS_Client_Key, KeyType.Iv); string[] strArray = decryptKerbAsResp.Split('|'); string encrypttgTicket = ""; string session_key_1 = ""; string uid = ""; encrypttgTicket = strArray[0]; session_key_1 = strArray[1]; uid = strArray[2]; // 数字签名认证的流程: //string strhash = rsaCryp.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), session_key_1); //这个与ASServer中产生的key1text不一样 string hashdata = ""; rsaCryp.GetHash(session_key_1, ref hashdata); if (rsaCryp.SignatureDeformatter(HttpUtility.HtmlDecode(publicKey), hashdata, rsasign)) { // 在Client端不能对TGTicket进行解密处理。 //string tgticket = desCryp.Decrypt(encrypttgTicket, KeyType.AS_TGS_Key, KeyType.Iv); //string[] ticketArray = tgticket.Split('|'); //string uid = ticketArray[0]; //DateTime ts2 = Convert.ToDateTime(ticketArray[1]); //double lifetime2 = Convert.ToDouble(ticketArray[2]); //this.tgTicket = new TGTicket(uid,ts2,lifetime2); //string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv); //this.kerbTgsReq = new KerbTGSRequest(this.tgTicket,session_key_1,encryptUid); string encryptUid = desCryp.Encrypt(uid, session_key_1, KeyType.Iv); this.kerbTgsReq = new KerbTGSRequest(encrypttgTicket, session_key_1, encryptUid); return this.kerbTgsReq; } else //表示Session_key_1被修改 ,做的只有重新生成密钥。 { errorInfo = "随机密钥发生变化,请重新生成随机密钥。"; //保证密钥的安全性 this.kerbAsResponse = asServer.CreateKerbAsResp(this.Uid, out this.tgTicket); // kerbAsResponse发生变化 this.kerbTgsReq = CreateKerbTGSReq(ADMIN_UID); return this.kerbTgsReq; } }