internal static KerberosPrincipalName Parse(DERValue value)
{
if (!value.HasChildren())
{
throw new InvalidDataException();
}
KerberosPrincipalName ret = new KerberosPrincipalName();
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
ret.NameType = (KerberosNameType)next.ReadChildInteger();
break;
case 1:
ret.Names = next.ReadChildStringSequence().AsReadOnly();
break;
default:
throw new InvalidDataException();
}
}
return(ret);
}
internal static KerberosEncryptedData Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosEncryptedData ret = new KerberosEncryptedData();
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
ret.EncryptionType = (KerberosEncryptionType)next.ReadChildInteger();
break;
case 1:
ret.KeyVersion = next.ReadChildInteger();
break;
case 2:
ret.CipherText = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
return(ret);
}
internal static bool Parse(KerberosEncryptedData orig_data, byte[] decrypted, out KerberosEncryptedData ticket)
{
ticket = null;
try {
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(27) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosAPReplyEncryptedPart(orig_data);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
ret.ClientTime = next.ReadChildGeneralizedTime();
break;
case 1:
ret.ClientUSec = next.ReadChildInteger();
break;
case 2:
if (!next.HasChildren())
{
return(false);
}
ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], string.Empty, new KerberosPrincipalName());
break;
case 3:
ret.SequenceNumber = next.ReadChildInteger();
break;
default:
return(false);
}
}
ticket = ret;
} catch (InvalidDataException) {
return(false);
} catch (EndOfStreamException) {
return(false);
}
return(true);
}
private static bool CheckForPageHash(DERValue root)
{
if (!root.CheckSequence() || !root.HasChildren())
{
return(false);
}
root = root.Children[0];
if (!root.CheckSequence() || !root.HasChildren())
{
return(false);
}
if (root.Children.Length < 2 || root.ReadChildObjID() != SPC_PE_IMAGE_DATAOBJ || !root.Children[1].CheckSequence())
{
return(false);
}
root = root.Children[1];
if (root.Children.Length < 2 || !root.Children[0].CheckPrimitive(UniversalTag.BIT_STRING) || !root.Children[1].CheckContext(0))
{
return(false);
}
root = root.Children[1];
if (root.Children.Length < 1 || !root.Children[0].CheckContext(1))
{
return(false);
}
root = root.Children[0];
if (root.Children.Length < 2 || !root.Children[0].CheckPrimitive(UniversalTag.OCTET_STRING) ||
!root.Children[1].CheckPrimitive(UniversalTag.OCTET_STRING))
{
return(false);
}
if (root.Children[0].Data.Length != 16)
{
return(false);
}
if (new Guid(root.Children[0].Data) != SPCSERIALIZED_OBJECT)
{
return(false);
}
DERValue[] values = DERParser.ParseData(root.Children[1].Data, 0);
if (values.Length < 1)
{
return(false);
}
var objid = values[0].GetChild(0)?.GetChild(0);
if (!objid?.CheckPrimitive(UniversalTag.OBJECT_IDENTIFIER) ?? false)
{
return(false);
}
string objid_value = objid.Value.ReadObjID();
return(objid_value == SPC_PE_IMAGE_PAGE_HASHES_V1_OBJID ||
objid_value == SPC_PE_IMAGE_PAGE_HASHES_V2_OBJID);
}
internal static KerberosTicket Parse(DERValue value)
{
if (!value.CheckApplication(1) || !value.HasChildren())
{
throw new InvalidDataException();
}
if (!value.Children[0].CheckSequence())
{
throw new InvalidDataException();
}
KerberosTicket ret = new KerberosTicket();
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
throw new InvalidDataException();
}
break;
case 1:
ret.Realm = next.ReadChildGeneralString();
break;
case 2:
if (!next.Children[0].CheckSequence())
{
throw new InvalidDataException();
}
ret.ServerName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 3:
if (!next.HasChildren())
{
throw new InvalidDataException();
}
ret.EncryptedData = KerberosEncryptedData.Parse(next.Children[0]);
break;
default:
throw new InvalidDataException();
}
}
return(ret);
}
internal static IReadOnlyList <KerberosAuthorizationData> ParseSequence(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
var ret = new List <KerberosAuthorizationData>();
foreach (var next in value.Children)
{
ret.Add(Parse(next));
}
return(ret.AsReadOnly());
}
internal static KerberosChecksum Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosChecksumType type = 0;
byte[] data = null;
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
type = (KerberosChecksumType)next.ReadChildInteger();
break;
case 1:
data = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
if (type == 0 || data == null)
{
throw new InvalidDataException();
}
if (type == KerberosChecksumType.GSSAPI && KerberosChecksumGSSApi.Parse(data, out KerberosChecksum chksum))
{
return(chksum);
}
return(new KerberosChecksum(type, data));
}
internal static KerberosAuthenticationKey Parse(DERValue value, string realm, KerberosPrincipalName name)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosEncryptionType enc_type = 0;
byte[] key = null;
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
enc_type = (KerberosEncryptionType)next.ReadChildInteger();
break;
case 1:
key = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
if (enc_type == 0 || key == null)
{
throw new InvalidDataException();
}
return(new KerberosAuthenticationKey(enc_type, key, name.NameType, realm, name.Names.ToArray(), DateTime.Now, 0));
}
internal static KerberosTransitedEncoding Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosTransitedEncodingType type = 0;
byte[] data = null;
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
type = (KerberosTransitedEncodingType)next.ReadChildInteger();
break;
case 1:
data = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
if (data == null)
{
throw new InvalidDataException();
}
return(new KerberosTransitedEncoding(type, data));
}
internal static KerberosAuthorizationData Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosAuthorizationDataType type = 0;
byte[] data = null;
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
type = (KerberosAuthorizationDataType)next.ReadChildInteger();
break;
case 1:
data = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
if (type == 0 || data == null)
{
throw new InvalidDataException();
}
if (type == KerberosAuthorizationDataType.AD_IF_RELEVANT)
{
DERValue[] values = DERParser.ParseData(data, 0);
if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren())
{
throw new InvalidDataException();
}
return(Parse(values[0].Children[0]));
}
else if (type == KerberosAuthorizationDataType.KERB_AD_RESTRICTION_ENTRY)
{
if (KerberosAuthorizationDataRestrictionEntry.Parse(data,
out KerberosAuthorizationDataRestrictionEntry entry))
{
return(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_ETYPE_NEGOTIATION)
{
if (KerberosAuthorizationDataEncryptionNegotiation.Parse(data,
out KerberosAuthorizationDataEncryptionNegotiation entry))
{
return(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_WIN2K_PAC)
{
if (KerberosAuthorizationDataPAC.Parse(data,
out KerberosAuthorizationDataPAC entry))
{
return(entry);
}
}
return(new KerberosAuthorizationData(type, data));
}
internal static bool CheckMsg(this DERValue value, KerberosMessageType msg)
{
return(value.CheckApplication((int)msg));
}
internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket)
{
ticket = null;
try
{
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(2) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosAuthenticator(orig_data);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
return(false);
}
break;
case 1:
ret.ClientRealm = next.ReadChildGeneralString();
break;
case 2:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 3:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.Checksum = KerberosChecksum.Parse(next.Children[0]);
break;
case 4:
ret.ClientUSec = next.ReadChildInteger();
break;
case 5:
ret.ClientTime = next.ReadChildGeneralizedTime();
break;
case 6:
if (!next.HasChildren())
{
return(false);
}
ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
break;
case 7:
ret.SequenceNumber = next.ReadChildInteger();
break;
case 8:
if (!next.HasChildren())
{
return(false);
}
ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]);
break;
default:
return(false);
}
}
if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null)
{
KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]);
if (ret.SubKey != null)
{
tmp_keyset.Add(ret.SubKey);
}
gssapi.Decrypt(tmp_keyset);
}
ticket = ret;
}
catch (InvalidDataException)
{
return(false);
}
catch (EndOfStreamException)
{
return(false);
}
return(true);
}
internal static IEnumerable <KerberosAuthorizationData> Parse(DERValue value)
{
if (!value.CheckSequence())
{
throw new InvalidDataException();
}
KerberosAuthorizationDataType type = 0;
byte[] data = null;
foreach (var next in value.Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
throw new InvalidDataException();
}
switch (next.Tag)
{
case 0:
type = (KerberosAuthorizationDataType)next.ReadChildInteger();
break;
case 1:
data = next.ReadChildOctetString();
break;
default:
throw new InvalidDataException();
}
}
if (type == 0 || data == null)
{
throw new InvalidDataException();
}
List <KerberosAuthorizationData> ret = new List <KerberosAuthorizationData>();
if (type == KerberosAuthorizationDataType.AD_IF_RELEVANT)
{
DERValue[] values = DERParser.ParseData(data, 0);
if (values.Length != 1 || !values[0].CheckSequence() || !values[0].HasChildren())
{
throw new InvalidDataException();
}
ret.AddRange(values[0].Children.SelectMany(c => Parse(c)));
}
else if (type == KerberosAuthorizationDataType.KERB_AD_RESTRICTION_ENTRY)
{
if (KerberosAuthorizationDataRestrictionEntry.Parse(data,
out KerberosAuthorizationDataRestrictionEntry entry))
{
ret.Add(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_ETYPE_NEGOTIATION)
{
if (KerberosAuthorizationDataEncryptionNegotiation.Parse(data,
out KerberosAuthorizationDataEncryptionNegotiation entry))
{
ret.Add(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_WIN2K_PAC)
{
if (KerberosAuthorizationDataPAC.Parse(data,
out KerberosAuthorizationDataPAC entry))
{
ret.Add(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_AUTH_DATA_AP_OPTIONS)
{
if (KerberosAuthorizationDataApOptions.Parse(data,
out KerberosAuthorizationDataApOptions entry))
{
ret.Add(entry);
}
}
else if (type == KerberosAuthorizationDataType.AD_AUTH_DATA_TARGET_NAME)
{
if (KerberosAuthorizationDataTargetName.Parse(data,
out KerberosAuthorizationDataTargetName entry))
{
ret.Add(entry);
}
}
else if (type == KerberosAuthorizationDataType.KERB_LOCAL)
{
if (KerberosAuthorizationDataKerbLocal.Parse(data,
out KerberosAuthorizationDataKerbLocal entry))
{
ret.Add(entry);
}
}
if (ret.Count == 0)
{
ret.Add(new KerberosAuthorizationData(type, data));
}
return(ret);
}
internal static bool Parse(KerberosTicket orig_ticket, byte[] decrypted, KerberosKeySet keyset, out KerberosTicket ticket)
{
ticket = null;
try {
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(3) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosTicketDecrypted(orig_ticket);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
ret.Flags = ConvertTicketFlags(next.ReadChildBitString());
break;
case 1:
if (!next.HasChildren())
{
return(false);
}
ret.Key = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
keyset.Add(ret.Key);
break;
case 2:
ret.ClientRealm = next.ReadChildGeneralString();
break;
case 3:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 4:
if (!next.HasChildren())
{
return(false);
}
ret.TransitedType = KerberosTransitedEncoding.Parse(next.Children[0]);
break;
case 5:
ret.AuthTime = next.ReadChildGeneralizedTime();
break;
case 6:
ret.StartTime = next.ReadChildGeneralizedTime();
break;
case 7:
ret.EndTime = next.ReadChildGeneralizedTime();
break;
case 8:
ret.RenewTill = next.ReadChildGeneralizedTime();
break;
case 9:
if (!next.HasChildren())
{
return(false);
}
ret.HostAddresses = KerberosHostAddress.ParseSequence(next.Children[0]);
break;
case 10:
if (!next.HasChildren())
{
return(false);
}
ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]);
break;
default:
return(false);
}
}
ticket = ret;
} catch (InvalidDataException) {
return(false);
} catch (EndOfStreamException) {
return(false);
}
return(true);
}