/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
private byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
this.ApRequestAuthenticator = authenticator;
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
this.client.UpdateContext(request);
if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE)
{
return(request.ToBytes());
}
else
{
return(KerberosUtility.AddGssApiTokenHeader(request, this.client.OidPkt, gssToken));
}
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subKey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subKey, checksumType, checksumBody);
KerberosApRequest apRequest = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return(apRequest);
}
public static AdAuthDataApOptions Parse(AuthorizationDataElement element)
{
if (element.ad_type.Value != (int)AuthorizationData_elementType.AD_AUTH_DATA_AP_OPTIONS)
throw new Exception();
var apOptions = new APOptions();
apOptions.BerDecode(new Asn1DecodingBuffer(element.ad_data.ByteArrayValue));
throw new NotImplementedException();
}
private PA_DATA CreatePaTgsReqest(ChecksumType checksumType, byte[] checksumBody, AuthorizationData data)
{
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
EncryptionKey key = Context.SessionKey;
KerberosApRequest apRequest = CreateApRequest(option, Context.Ticket, null, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, checksumBody);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
return(paTgsReq.Data);
}
public static AdAuthDataApOptions Parse(AuthorizationDataElement element)
{
if (element.ad_type.Value != (int)AuthorizationData_elementType.AD_AUTH_DATA_AP_OPTIONS)
{
throw new Exception();
}
var apOptions = new APOptions();
apOptions.BerDecode(new Asn1DecodingBuffer(element.ad_data.ByteArrayValue));
throw new NotImplementedException();
}
public AP_REQ(
Asn1Integer param0,
Asn1Integer param1,
APOptions param2,
Ticket param3,
EncryptedData param4)
{
this.pvno = param0;
this.msg_type = param1;
this.ap_options = param2;
this.ticket = param3;
this.authenticator = param4;
}
public AP_REQ(
Asn1Integer param0,
Asn1Integer param1,
APOptions param2,
Ticket param3,
EncryptedData param4)
{
this.pvno = param0;
this.msg_type = param1;
this.ap_options = param2;
this.ticket = param3;
this.authenticator = param4;
}
/// <summary>
/// Create an instance.
/// </summary>
public KpasswordRequest(KerberosTicket ticket, Authenticator authenticator, string newPwd, bool isAuthErrorRequired = false)
{
//Create KerberosApRequest
long pvno = KerberosConstValue.KERBEROSV5;
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
KerberosApRequest ap_req = new KerberosApRequest(pvno, option, ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator);
//Create KRB_PRIV
ChangePasswdData pwd_data = new ChangePasswdData(new Asn1OctetString(newPwd), null, null);
priv_enc_part = new EncKrbPrivPart();
priv_enc_part.user_data = pwd_data.newpasswd;
priv_enc_part.usec = authenticator.cusec;
priv_enc_part.seq_number = authenticator.seq_number;
priv_enc_part.s_address = new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())));
Asn1BerEncodingBuffer asnBuffPriv = new Asn1BerEncodingBuffer();
priv_enc_part.BerEncode(asnBuffPriv, true);
byte[] encAsnEncodedPriv = null;
if (!isAuthErrorRequired)
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.KRB_PRIV_EncPart);
}
else
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.None);
}
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(authenticator.subkey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedPriv);
KRB_PRIV krb_priv = new KRB_PRIV(new Asn1Integer(pvno), new Asn1Integer((long)MsgType.KRB_PRIV), encrypted);
//Calculate the msg_length and ap_req_length
krb_priv.BerEncode(privBuffer, true);
ap_req.Request.BerEncode(apBuffer, true);
version = 0x0001;
ap_req_length = (ushort)apBuffer.Data.Length;
msg_length = (ushort)(ap_req_length + privBuffer.Data.Length + 3 * sizeof(ushort));
//Convert Endian
version = KerberosUtility.ConvertEndian(version);
ap_req_length = KerberosUtility.ConvertEndian(ap_req_length);
msg_length = KerberosUtility.ConvertEndian(msg_length);
}
/// <summary>
/// Create an instance.
/// </summary>
public KpasswordRequest(KerberosTicket ticket, Authenticator authenticator, string newPwd, bool isAuthErrorRequired = false)
{
//Create KerberosApRequest
long pvno = KerberosConstValue.KERBEROSV5;
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
KerberosApRequest ap_req = new KerberosApRequest(pvno, option, ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator);
//Create KRB_PRIV
ChangePasswdData pwd_data = new ChangePasswdData(new Asn1OctetString(newPwd), null, null);
priv_enc_part = new EncKrbPrivPart();
priv_enc_part.user_data = pwd_data.newpasswd;
priv_enc_part.usec = authenticator.cusec;
priv_enc_part.seq_number = authenticator.seq_number;
priv_enc_part.s_address = new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())));
Asn1BerEncodingBuffer asnBuffPriv = new Asn1BerEncodingBuffer();
priv_enc_part.BerEncode(asnBuffPriv, true);
byte[] encAsnEncodedPriv = null;
if (!isAuthErrorRequired)
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.KRB_PRIV_EncPart);
}
else
{
encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value,
authenticator.subkey.keyvalue.ByteArrayValue,
asnBuffPriv.Data,
(int)KeyUsageNumber.None);
}
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(authenticator.subkey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedPriv);
KRB_PRIV krb_priv = new KRB_PRIV(new Asn1Integer(pvno), new Asn1Integer((long)MsgType.KRB_PRIV), encrypted);
//Calculate the msg_length and ap_req_length
krb_priv.BerEncode(privBuffer, true);
ap_req.Request.BerEncode(apBuffer, true);
version = 0x0001;
ap_req_length = (ushort)apBuffer.Data.Length;
msg_length = (ushort)(ap_req_length + privBuffer.Data.Length + 3 * sizeof(ushort));
//Convert Endian
version = KerberosUtility.ConvertEndian(version);
ap_req_length = KerberosUtility.ConvertEndian(ap_req_length);
msg_length = KerberosUtility.ConvertEndian(msg_length);
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subkey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subkey, checksumType, checksumBody);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return apReq;
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithFastHideCName(
string sName,
PrincipalName cName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions,
AuthorizationData data = null)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
kdcReqBody.cname = cName;
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
var armorKey = GetArmorKey(Context.SessionKey, subKey);
var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
Context.FastArmorkey = armorKey;
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithExplicitFast(
string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
AuthorizationData data = null)
{
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
//Create PA-TGS-REQ
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
//Create explicit FAST armor
EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
Context.SelectedEType,
"Password04!",
"This is a salt");
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);
//Create armor key
var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
Context.FastArmorkey = armorKey;
//Create PA-FX-FAST
var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
/// <summary>
/// Create AP request and encode to GSSAPI token
/// </summary>
/// <param name="apOptions">AP options</param>
/// <param name="data">Authorization data</param>
/// <param name="subkey">Sub-session key in authenticator</param>
/// <param name="checksumFlags">Checksum flags</param>
/// <returns></returns>
public byte[] CreateGssApiToken(ApOptions apOptions, AuthorizationData data, EncryptionKey subkey, ChecksumFlags checksumFlags,
Microsoft.Protocols.TestTools.StackSdk.Security.KerberosLib.KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG)
{
APOptions options = new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions));
Authenticator authenticator = CreateAuthenticator(Context.Ticket, data, subkey, checksumFlags);
KerberosApRequest request = new KerberosApRequest(
Context.Pvno,
options,
Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
return KerberosUtility.AddGssApiTokenHeader(request, this.oidPkt, gssToken);
}
private PA_DATA CreatePaTgsReq(ChecksumType checksumType, byte[] checksumBody, AuthorizationData data)
{
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
EncryptionKey key = Context.SessionKey;
EncryptionKey subkey = null;
Ticket ticket = Context.Ticket.Ticket;
KerberosApRequest apRequest = CreateApRequest(option, Context.Ticket, subkey, data, KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator, checksumType, checksumBody);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
return paTgsReq.Data;
}
