public override KerberosKey CreateKey()
{
if (this.cacheKey == null)
{
lock (this._syncCache)
{
if (this.cacheKey == null)
{
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, this.Domain, new[] { this.UserName });
EncryptionType?etype = GetPreferredEType(
this.Configuration.Defaults.DefaultTicketEncTypes,
this.Configuration.Defaults.AllowWeakCrypto
);
string salt = null;
if (this.Salts != null && this.Salts.Any())
{
var etypePreferences = GetPreferredETypes(
this.Configuration.Defaults.DefaultTicketEncTypes,
this.Configuration.Defaults.AllowWeakCrypto
).ToArray();
var preferredEtypes = this.Salts.Select(s => s.Key).Intersect(etypePreferences).OrderBy(e => Array.IndexOf(etypePreferences, e));
if (!preferredEtypes.Any())
{
throw new KerberosPolicyException(PaDataType.PA_ENC_TIMESTAMP);
}
var kv = this.Salts.First(s => s.Key == preferredEtypes.First());
etype = kv.Key;
salt = kv.Value;
}
if (etype is null)
{
etype = GetPreferredETypes(allowWeakCrypto: this.Configuration.Defaults.AllowWeakCrypto).FirstOrDefault();
}
if (etype is null)
{
throw new NotSupportedException("Cannot agree on EType");
}
this.cacheKey = new KerberosKey(
this.password,
principalName: principalName,
etype: etype.Value,
saltType: SaltType.ActiveDirectoryUser,
salt: salt
);
}
}
}
return(this.cacheKey);
}
private KerberosKey(
byte[] key,
string password,
byte[] passwordBytes = null,
PrincipalName principalName = null,
string host = null,
string salt = null,
byte[] saltBytes = null,
EncryptionType etype = 0,
SaltType saltFormat = SaltType.ActiveDirectoryService,
byte[] iterationParams = null,
int?kvno = null
)
{
this.key = key;
this.Password = password;
this.passwordBytes = passwordBytes;
this.PrincipalName = principalName;
this.Host = host;
this.salt = salt;
this.saltBytes = saltBytes;
this.EncryptionType = etype;
this.SaltFormat = saltFormat;
this.IterationParameter = iterationParams;
this.Version = kvno;
}
public override KerberosKey CreateKey()
{
if (this.cacheKey == null)
{
lock (this._syncCache)
{
if (this.cacheKey == null)
{
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, this.Domain, new[] { this.UserName });
var etype = EncryptionType.AES256_CTS_HMAC_SHA1_96;
var salt = string.Empty;
if (this.Salts != null && this.Salts.Any())
{
var kv = this.Salts.ElementAt(0);
etype = kv.Key;
salt = kv.Value;
}
this.cacheKey = new KerberosKey(
this.password,
principalName: principalName,
etype: etype,
saltType: SaltType.ActiveDirectoryUser,
salt: salt
);
}
}
}
return(this.cacheKey);
}
//private void LoadEmployees(IUserData db)
//{
// _DirectReports = _Users.Where(u => u.Manager.PrincipalName == PrincipalName).Where(u => u.Id != Id);
//}
public IEnumerable <ValidationResult> Validate(ValidationContext validationContext)
{
if (_Users != null && _Users.Where(u => u.PrincipalName.Trim().Equals(PrincipalName.Trim(), StringComparison.Ordinal)).Where(u => u.Id != Id).Count() > 0)
{
yield return(new ValidationResult("Principal name is used."));
}
}
private KerberosKey(byte[] key, string password, PrincipalName principalName = null, string host = null)
{
this.key = key;
this.password = password;
this.principalName = principalName;
this.host = host;
}
public override KerberosKey CreateKey()
{
if (cacheKey == null)
{
lock (_syncCache)
{
if (cacheKey == null)
{
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Domain, new[] { UserName });
var etype = EncryptionType.AES256_CTS_HMAC_SHA1_96;
var salt = "";
if (Salts != null && Salts.Count() > 0)
{
var kv = Salts.ElementAt(0);
etype = kv.Key;
salt = kv.Value;
}
cacheKey = new KerberosKey(
password,
principalName: principalName,
etype: etype,
saltType: SaltType.ActiveDirectoryUser,
salt: salt
);
}
}
}
return(cacheKey);
}
private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null)
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator");
Random r = new Random();
int seqNum = r.Next();
Authenticator plaintextAuthenticator = new Authenticator
{
authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5),
crealm = realm,
cusec = new Microseconds(0),
ctime = KerberosUtility.CurrentKerberosTime,
seq_number = new KerbUInt32(seqNum),
cname = cname,
subkey = subkey,
authorization_data = data
};
AuthCheckSum checksum = new AuthCheckSum {
Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH
};
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return(plaintextAuthenticator);
}
internal object ToParam()
{
return(new
{
account = ObjectName.ToUpper(),
principal = PrincipalName.ToUpper(),
});
}
private KerberosAuthenticator CreateAuthenticator()
{
// This could be done with DI and a factory pattern, but we're keeping it simple here.
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Options.Domain, new[] { Options.UserName });
var key = new KerberosKey(Options.Password, principalName, Options.Password);
var validator = new KerberosValidator(key);
var authenticator = new KerberosAuthenticator(validator);
return(authenticator);
}
public KerberosKey(
string password,
PrincipalName principalName = null,
string host = null,
string salt = null,
EncryptionType etype = 0,
SaltType saltType = SaltType.ActiveDirectoryService,
byte[] iterationParams = null
) : this(null, password, null, principalName, host, salt, etype, saltType, iterationParams)
{
}
public override int GetHashCode()
{
unchecked
{
var hashCode = PrincipalName != null?PrincipalName.GetHashCode() : 0;
hashCode = (hashCode * 397) ^ (PrincipalType != null ? PrincipalType.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (RightName != null ? RightName.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (AceType != null ? AceType.GetHashCode() : 0);
return(hashCode);
}
}
private static void WritePrincipal(PrincipalName principal, NdrBuffer buffer)
{
buffer.WriteInt32BigEndian((int)principal.NameType);
buffer.WriteInt32BigEndian(principal.Names.Count);
WriteData(Encoding.UTF8.GetBytes(principal.Realm), buffer);
foreach (var name in principal.Names)
{
WriteData(Encoding.UTF8.GetBytes(name), buffer);
}
}
public KrbFastFinished(
KerberosTime param0,
Microseconds param1,
Realm param2,
PrincipalName param3,
Checksum param4)
{
this.timestamp = param0;
this.usec = param1;
this.crealm = param2;
this.cname = param3;
this.ticket_checksum = param4;
}
public KerberosKey(
byte[] key = null,
byte[] password = null,
PrincipalName principal = null,
string host = null,
string salt = null,
EncryptionType etype = 0,
SaltType saltType = SaltType.ActiveDirectoryService,
byte[] iterationParams = null,
int?kvno = null
) : this(key, null, password, principal, host, salt, etype, saltType, iterationParams, kvno)
{
}
private static KerberosKey CreateKey()
{
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, "CORP.IDENTITYINTERVENTION.COM", new[] { "testuser" });
var host = string.Empty;
var key = new KerberosKey(
"P@ssw0rd!",
principalName: principalName,
host: host,
saltType: SaltType.ActiveDirectoryUser,
etype: EncryptionType.AES256_CTS_HMAC_SHA1_96
);
return(key);
}
/// <summary>
/// Create authenticator for AP request or part of PA-DATA for TGS request.
/// </summary>
/// <param name="cRealm">This field contains the name of the realm in which the client is registered and in
/// which initial authentication took place.</param>
/// <param name="cName">This field contains the name part of the client's principal identifier.</param>
/// <param name="checksumType">The checksum type selected.</param>
/// <param name="seqNumber">The current local sequence number.</param>
/// <param name="flag">The flag set in checksum field of Authenticator.</param>
/// <param name="subkey">Specify the new subkey used in the following exchange. This field is optional.
/// This argument can be got with method GenerateKey(ApSessionKey).
/// This argument can be null. If this argument is null, no subkey will be sent.</param>
/// <param name="authorizationData">The authentication data of authenticator. This field is optional.
/// This argument can be generated by method ConstructAuthorizationData. This argument can be null.
/// If this argument is null, no Authorization Data will be sent.</param>
/// <param name="key">The key to do checksum.</param>
/// <param name="checksumBody">The data to compute checksum.</param>
/// <returns>The created authenticator.</returns>
private Authenticator CreateAuthenticator(Realm cRealm,
PrincipalName cName,
ChecksumType checksumType,
int seqNumber,
ChecksumFlags flag,
EncryptionKey subkey,
AuthorizationData authorizationData,
EncryptionKey key,
byte[] checksumBody)
{
Authenticator plaintextAuthenticator = new Authenticator();
plaintextAuthenticator.authenticator_vno = new Asn1Integer(ConstValue.KERBEROSV5);
plaintextAuthenticator.crealm = cRealm;
plaintextAuthenticator.cname = cName;
plaintextAuthenticator.cusec = new Microseconds(0);
plaintextAuthenticator.ctime = KileUtility.CurrentKerberosTime;
plaintextAuthenticator.seq_number = new KerbUInt32(seqNumber);
plaintextAuthenticator.subkey = subkey;
plaintextAuthenticator.authorization_data = authorizationData;
if (checksumType == ChecksumType.ap_authenticator_8003)
{
// compute the checksum
AuthCheckSum checksum = new AuthCheckSum();
checksum.Lgth = ConstValue.AUTHENTICATOR_CHECKSUM_LENGTH;
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)flag;
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd,
BitConverter.GetBytes(checksum.Flags));
// in AP request
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
else
{
// in TGS PA data
byte[] checkData = KileUtility.GetChecksum(
key.keyvalue.ByteArrayValue,
checksumBody,
(int)KeyUsageNumber.TGS_REQ_PA_TGS_REQ_adataOR_AP_REQ_Authenticator_cksum,
checksumType);
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(checkData));
}
return(plaintextAuthenticator);
}
public override KerberosKey CreateKey()
{
var principalName = new PrincipalName(PrincipalNameType.NT_PRINCIPAL, Domain, new[] { UserName });
Byte[] hashbytes = Utils.ToHexByteArray(this.hash);
var salt = "";
return(new KerberosKey(
hashbytes,
null,
principalName,
etype: this.etype,
saltType: SaltType.ActiveDirectoryUser,
salt: salt
));
}
public KileTgsRequest CreateTgsRequest(string sName,
KDCOptions kdcOptions,
Asn1SequenceOf <PA_DATA> paData,
ChecksumType checksumType,
Ticket additionalTicket,
AuthorizationData authorizationData)
{
if (sName == null)
{
throw new ArgumentNullException(nameof(sName));
}
var sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
return(CreateTgsRequest(sname, kdcOptions, new KerbUInt32((uint)Math.Abs((uint)DateTime.Now.Ticks)), context.UserRealm, paData,
checksumType, additionalTicket, authorizationData));
}
public KerberosKey(
string password,
PrincipalName principalName = null,
string host = null,
string salt = null,
EncryptionType etype = 0,
SaltType saltType = SaltType.ActiveDirectoryService,
byte[] iterationParams = null,
int?kvno = null
)
: this(null, password, null, principalName, host, salt, etype, saltType, iterationParams, kvno)
{
if (string.IsNullOrWhiteSpace(password))
{
throw new ArgumentNullException(nameof(password));
}
}
public KerberosKey(
byte[] key = null,
byte[] password = null,
PrincipalName principal = null,
string host = null,
string salt = null,
EncryptionType etype = 0,
SaltType saltType = SaltType.ActiveDirectoryService,
byte[] iterationParams = null,
int?kvno = null
)
: this(key, null, password, principal, host, salt, etype, saltType, iterationParams, kvno)
{
if (key == null && password == null)
{
throw new ArgumentException("Either a key or password must be provided");
}
}
public KileTgsRequest CreateTgsRequest(string sName,
KRBFlags kdcOptions,
KerbUInt32 nonce,
Asn1SequenceOf <PA_DATA> paData,
ChecksumType checksumType,
Ticket additionalTicket,
AuthorizationData authorizationData)
{
if (sName == null)
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KileUtility.String2SeqKerbString(sName.Split('/')));
return(CreateTgsRequest(context.UserRealm, context.UserName, sname, kdcOptions, nonce, context.UserRealm, paData,
checksumType, additionalTicket, authorizationData));
}
/// <summary>
/// Construct PA_TGS_REQ for TGS request.
/// </summary>
/// <param name="cRealm">This field contains the name of the realm in which the client is registered and in
/// which initial authentication took place.</param>
/// <param name="cName">This field contains the name part of the client's principal identifier.</param>
/// <param name="checksumType">The checksum type in Authenticator.</param>
/// <param name="checksumBody">The data to compute checksum.</param>
/// <returns>The constructed PaData.</returns>
private PA_DATA ConstructTgsPaData(Realm cRealm, PrincipalName cName, ChecksumType checksumType, byte[] checksumBody)
{
AP_REQ request = new AP_REQ();
KerbAuthDataTokenRestrictions adRestriction =
ConstructKerbAuthDataTokenRestrictions(0,
(uint)LSAP_TOKEN_INFO_INTEGRITY_Flags.FULL_TOKEN,
(uint)LSAP_TOKEN_INFO_INTEGRITY_TokenIL.Medium,
new Guid().ToString());
AuthorizationData authData = ConstructAuthorizationData(adRestriction);
// create and encrypt authenticator
Authenticator authenticator = CreateAuthenticator(cRealm,
cName,
checksumType,
0,
0,
null,
authData,
context.TgsSessionKey,
checksumBody);
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
byte[] encAsnEncodedAuth =
KileUtility.Encrypt((EncryptionType)context.TgsSessionKey.keytype.Value,
context.TgsSessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator);
request.authenticator = new EncryptedData();
request.authenticator.etype = new Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerbInt32(context.TgsSessionKey.keytype.Value);
request.authenticator.cipher = new Asn1OctetString(encAsnEncodedAuth);
// create AP request
request.ap_options = new APOptions(KileUtility.ConvertInt2Flags((int)ApOptions.None));
request.msg_type = new Asn1Integer((int)MsgType.KRB_AP_REQ);
request.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
request.ticket = context.TgsTicket;
Asn1BerEncodingBuffer apBerBuffer = new Asn1BerEncodingBuffer();
request.BerEncode(apBerBuffer, true);
return(new PA_DATA(new KerbInt32((int)PaDataType.PA_TGS_REQ), new Asn1OctetString(apBerBuffer.Data)));
}
