private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ)
{
if (string.IsNullOrEmpty(sName))
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType);
PA_DATA paTgsReq = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator.
Asn1SequenceOf <PA_DATA> tempPaData = null;
if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq });
}
else
{
PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
paDatas[seqPadata.Elements.Length] = paTgsReq;
tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas);
}
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
tgsRequest.Request.msg_type.Value = (long)msgType;
this.client.SendPdu(tgsRequest);
}
public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
byte[] key = KeyGenerator.MakeKey(eType, password, salt);
this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key));
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.PA_ENC_TIMESTAMP);
// create an encrypted timestamp
PA_ENC_TIMESTAMP paEncTimeStamp =
new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
paEncTimeStamp.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data));
}
/// <summary>
/// Parse raw PA_DATA type to PaTgsReq object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaTgsReq object</returns>
public static PaTgsReq Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_TGS_REQ)
{
throw new Exception();
}
AP_REQ apReq = new AP_REQ();
apReq.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaTgsReq(apReq));
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFast object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaFxFastReq Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST)
{
throw new Exception();
}
PA_FX_FAST_REQUEST request = new PA_FX_FAST_REQUEST();
request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaFxFastReq(request));
}
public static PaSvrReferralInfo Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_SVR_REFERRAL_INFO)
{
throw new Exception();
}
PA_SVR_REFERRAL_DATA paSvrReferralData = new PA_SVR_REFERRAL_DATA();
paSvrReferralData.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaSvrReferralInfo(paSvrReferralData));
}
public static PaPacOptions Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_PAC_OPTION)
{
throw new Exception();
}
KERB_PA_PAC_OPTIONS paPacOptions = new KERB_PA_PAC_OPTIONS();
paPacOptions.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
throw new NotImplementedException();//need to convert from bytd[] to integer
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFast object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaETypeInfo2 Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_ETYPE_INFO2)
{
throw new Exception();
}
ETYPE_INFO2 eTypeInfo = new ETYPE_INFO2();
eTypeInfo.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaETypeInfo2(eTypeInfo));
}
/// <summary>
/// Parse raw PA_DATA type to PaPacRequest object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaPacRequest object</returns>
public static PaPacRequest Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_PAC_REQUEST)
{
throw new Exception();
}
KERB_PA_PAC_REQUEST request = new KERB_PA_PAC_REQUEST();
request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaPacRequest(request.include_pac.Value));
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFastReq object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaFxFastRep Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST)
{
throw new Exception();
}
if (data.padata_value != null && data.padata_value.Value.Length > 0)
{
PA_FX_FAST_REPLY reply = new PA_FX_FAST_REPLY();
reply.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return(new PaFxFastRep(reply));
}
return(new PaFxFastRep(null));
}
/// <summary>
/// Parse raw PA_DATA type to IPaData object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to IPaData object</returns>
public static IPaData ParseReqPaData(PA_DATA data)
{
switch (data.padata_type.Value)
{
case (long)PaDataType.PA_FX_FAST:
return PaFxFastReq.Parse(data);
case (long)PaDataType.PA_PAC_REQUEST:
return PaPacRequest.Parse(data);
case (long)PaDataType.PA_TGS_REQ:
return PaTgsReq.Parse(data);
case (long)PaDataType.PA_ETYPE_INFO2:
return PaETypeInfo2.Parse(data);
}
return PaRawData.Parse(data);
}
/// <summary>
/// Parse raw PA_DATA type to IPaData object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to IPaData object</returns>
public static IPaData ParseReqPaData(PA_DATA data)
{
switch (data.padata_type.Value)
{
case (long)PaDataType.PA_FX_FAST:
return(PaFxFastReq.Parse(data));
case (long)PaDataType.PA_PAC_REQUEST:
return(PaPacRequest.Parse(data));
case (long)PaDataType.PA_TGS_REQ:
return(PaTgsReq.Parse(data));
case (long)PaDataType.PA_ETYPE_INFO2:
return(PaETypeInfo2.Parse(data));
}
return(PaRawData.Parse(data));
}
/// <summary>
/// Parse raw PA_DATA type to IPaData object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to IPaData object</returns>
public static IPaData ParseRepPaData(PA_DATA data)
{
switch (data.padata_type.Value)
{
case (long)PaDataType.PA_FX_FAST:
return PaFxFastRep.Parse(data);
case (long)PaDataType.PA_ETYPE_INFO2:
return PaETypeInfo2.Parse(data);
case (long)PaDataType.PA_FX_ERROR:
return PaFxError.Parse(data);
case (long)PaDataType.PA_FX_COOKIE:
return PaFxCookie.Parse(data);
case (long)PaDataType.PA_SUPPORTED_ENCTYPES:
return PaSupportedEncTypes.Parse(data);
case (long)PaDataType.PA_SVR_REFERRAL_INFO:
return PaSvrReferralInfo.Parse(data);
}
return PaRawData.Parse(data);
}
/// <summary>
/// Parse raw PA_DATA type to IPaData object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to IPaData object</returns>
public static IPaData ParseRepPaData(PA_DATA data)
{
switch (data.padata_type.Value)
{
case (long)PaDataType.PA_FX_FAST:
return(PaFxFastRep.Parse(data));
case (long)PaDataType.PA_ETYPE_INFO2:
return(PaETypeInfo2.Parse(data));
case (long)PaDataType.PA_FX_ERROR:
return(PaFxError.Parse(data));
case (long)PaDataType.PA_FX_COOKIE:
return(PaFxCookie.Parse(data));
case (long)PaDataType.PA_SUPPORTED_ENCTYPES:
return(PaSupportedEncTypes.Parse(data));
case (long)PaDataType.PA_SVR_REFERRAL_INFO:
return(PaSvrReferralInfo.Parse(data));
}
return(PaRawData.Parse(data));
}
public static PaRawData Parse(PA_DATA data)
{
return(new PaRawData(data));
}
public static PaFxCookie Parse(PA_DATA data)
{
return(new PaFxCookie(data));
}
public static PaSupportedEncTypes Parse(PA_DATA data)
{
return(new PaSupportedEncTypes(data));
}
public PaRawData(PA_DATA data)
{
this.data = data;
}
public static PaFxError Parse(PA_DATA data)
{
var paFxError = new PaFxError(data);
return(paFxError);
}
public static PaEncTimeStamp Parse(PA_DATA data)
{
throw new NotImplementedException();
}
public static PaFxCookie Parse(PA_DATA data)
{
return new PaFxCookie(data);
}
/// <summary>
/// Parse raw PA_DATA type to PaTgsReq object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaTgsReq object</returns>
public static PaTgsReq Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_TGS_REQ)
throw new Exception();
AP_REQ apReq = new AP_REQ();
apReq.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaTgsReq(apReq);
}
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
var keyvalue = KeyGenerator.KrbFxCf2(
(EncryptionType)armorKey.keytype.Value,
armorKey.keyvalue.ByteArrayValue,
userLongTermKey.keyvalue.ByteArrayValue,
"clientchallengearmor",
"challengelongterm");
switch (type)
{
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
case EncryptionType.RC4_HMAC:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
default:
throw new ArgumentException("Unsupported encryption type.");
}
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);
EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
null,
new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
encryptedChallenge.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
}
public static PaSupportedEncTypes Parse(PA_DATA data)
{
return new PaSupportedEncTypes(data);
}
public static PaSvrReferralInfo Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_SVR_REFERRAL_INFO)
throw new Exception();
PA_SVR_REFERRAL_DATA paSvrReferralData = new PA_SVR_REFERRAL_DATA();
paSvrReferralData.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaSvrReferralInfo(paSvrReferralData);
}
public PaSupportedEncTypes(PA_DATA data)
{
uint value = BitConverter.ToUInt32(data.padata_value.ByteArrayValue, 0);
SupportedEncTypes = (SupportedEncryptionTypes)value;
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFastReq object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaFxFastRep Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST)
throw new Exception();
if (data.padata_value != null && data.padata_value.Value.Length > 0)
{
PA_FX_FAST_REPLY reply = new PA_FX_FAST_REPLY();
reply.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaFxFastRep(reply);
}
return new PaFxFastRep(null);
}
public static PaRawData Parse(PA_DATA data)
{
return new PaRawData(data);
}
public static PaPacOptions Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_PAC_OPTION)
throw new Exception();
KERB_PA_PAC_OPTIONS paPacOptions = new KERB_PA_PAC_OPTIONS();
paPacOptions.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
throw new NotImplementedException();//need to convert from bytd[] to integer
}
/// <summary>
/// Create and send FAST AS request with an unknown armor type
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="armorType">armorType</param>
public void SendAsRequestWithFast(
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
KrbFastArmorType armorType
)
{
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
public static PaFxError Parse(PA_DATA data)
{
var paFxError = new PaFxError(data);
return paFxError;
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFast object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaETypeInfo2 Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_ETYPE_INFO2)
throw new Exception();
ETYPE_INFO2 eTypeInfo = new ETYPE_INFO2();
eTypeInfo.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaETypeInfo2(eTypeInfo);
}
public PaFxError(PA_DATA PaData)
{
paData = PaData;
KrbError = new KerberosKrbError();
KrbError.FromBytes(PaData.padata_value.ByteArrayValue);
}
public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
byte[] key = KeyGenerator.MakeKey(eType, password, salt);
this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key));
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.PA_ENC_TIMESTAMP);
// create an encrypted timestamp
PA_ENC_TIMESTAMP paEncTimeStamp =
new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
paEncTimeStamp.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data));
}
public PaFxCookie(PA_DATA data)
{
this.data = data;
}
/// <summary>
/// Parse raw PA_DATA type to PaPacRequest object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaPacRequest object</returns>
public static PaPacRequest Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_PAC_REQUEST)
throw new Exception();
KERB_PA_PAC_REQUEST request = new KERB_PA_PAC_REQUEST();
request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaPacRequest(request.include_pac.Value);
}
public static PaEncTimeStamp Parse(PA_DATA data)
{
throw new NotImplementedException();
}
public static PaEncryptedChallenge Parse(PA_DATA data)
{
throw new NotImplementedException();
}
public PaFxError(PA_DATA PaData)
{
paData = PaData;
KrbError = new KerberosKrbError();
KrbError.FromBytes(PaData.padata_value.ByteArrayValue);
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithExplicitFast(
string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
AuthorizationData data = null)
{
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
//Create PA-TGS-REQ
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
//Create explicit FAST armor
EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
Context.SelectedEType,
"Password04!",
"This is a salt");
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);
//Create armor key
var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
Context.FastArmorkey = armorKey;
//Create PA-FX-FAST
var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
public PaFxCookie(PA_DATA data)
{
this.data = data;
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithFastHideCName(
string sName,
PrincipalName cName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions,
AuthorizationData data = null)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
kdcReqBody.cname = cName;
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
var armorKey = GetArmorKey(Context.SessionKey, subKey);
var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
Context.FastArmorkey = armorKey;
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
public PaSupportedEncTypes(PA_DATA data)
{
uint value = BitConverter.ToUInt32(data.padata_value.ByteArrayValue, 0);
SupportedEncTypes = (SupportedEncryptionTypes)value;
}
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey)
{
this.TimeStamp = timeStamp;
this.Usec = usec;
var keyvalue = KeyGenerator.KrbFxCf2(
(EncryptionType)armorKey.keytype.Value,
armorKey.keyvalue.ByteArrayValue,
userLongTermKey.keyvalue.ByteArrayValue,
"clientchallengearmor",
"challengelongterm");
switch (type)
{
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
case EncryptionType.RC4_HMAC:
{
var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue));
this.Key = key;
break;
}
default:
throw new ArgumentException("Unsupported encryption type.");
}
// create a timestamp
PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec));
Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer();
paEncTsEnc.BerEncode(currTimeStampBuffer);
var rawData = currTimeStampBuffer.Data;
KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC",
"Encrypted Timestamp Pre-authentication",
KerberosUtility.DumpLevel.PartialMessage,
rawData);
// encrypt the timestamp
byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value,
this.Key.keyvalue.ByteArrayValue,
rawData,
(int)KeyUsageNumber.ENC_CHALLENGE_CLIENT);
EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value),
null,
new Asn1OctetString(encTimeStamp));
Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer();
encryptedChallenge.BerEncode(paEncTimestampBuffer, true);
Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data));
}
public PaRawData(PA_DATA data)
{
this.data = data;
}
public static PaEncryptedChallenge Parse(PA_DATA data)
{
throw new NotImplementedException();
}
/// <summary>
/// Create and send FAST AS request
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
public void SendAsRequestWithFastHideCName(
KdcOptions kdcOptions,
string cName,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
/// <summary>
/// Parse raw PA_DATA type to PaFxFast object.
/// </summary>
/// <param name="data">Raw PA_DATA</param>
/// <returns>Reference to PaFxFast object</returns>
public static PaFxFastReq Parse(PA_DATA data)
{
if (data.padata_type.Value != (long)PaDataType.PA_FX_FAST)
throw new Exception();
PA_FX_FAST_REQUEST request = new PA_FX_FAST_REQUEST();
request.BerDecode(new Asn1DecodingBuffer(data.padata_value.ByteArrayValue));
return new PaFxFastReq(request);
}
/// <summary>
/// Create and send TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="seqPadata">A sequence of preauthentication data</param>
/// <param name="checksumType">Checksum type of PA-TGS-REQ</param>
/// <param name="additionalTicket">Additional ticket</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequest(string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> seqPadata = null,
Ticket additionalTicket = null,
AuthorizationData dataInAuthenticator = null,
AuthorizationData dataInEncAuthData = null)
{
if (sName == null)
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(
new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
PA_DATA paTgsReq = CreatePaTgsReq(checksumType, bodyBuffer.Data, dataInAuthenticator);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq });
}
else
{
PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
paDatas[seqPadata.Elements.Length] = paTgsReq;
tempPaData = new Asn1SequenceOf<PA_DATA>(paDatas);
}
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send TGS request.");
}
public void UnknownPaType()
{
base.Logging();
//Create kerberos test client and connect
client = new KerberosTestClient(this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
//Create and send AS request
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
//Recieve preauthentication required error
METHOD_DATA methodData;
KerberosKrbError krbError = client.ExpectPreauthRequiredError(out methodData);
//Create sequence of PA data
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(timeStamp,
0,
this.client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
PaPacRequest paPacRequest = new PaPacRequest(true);
//Create an unknown padata type
int invalidPaDataType = 1234567890;
byte[] invalidPaDataValue = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
PA_DATA invalidPaData = new PA_DATA(new KerbInt32(invalidPaDataType), new Asn1OctetString(invalidPaDataValue));
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data, paPacRequest.Data, invalidPaData });
BaseTestSite.Log.Add(LogEntryKind.Comment, "Create a sequence of PA data with invalid PA data.");
//Create and send AS request
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Assert.IsNotNull(asResponse.Response.ticket, "Unknown pre-authentication types MUST be ignored by KDCs. AS response should contain a TGT.");
//Create and send TGS request
client.SendTgsRequest(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, options);
KerberosTgsResponse tgsResponse = client.ExpectTgsResponse();
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
tgsResponse.Response.ticket.realm.Value.ToLower(),
"The realm in ticket should match expected.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName,
KerberosUtility.PrincipalName2String(tgsResponse.Response.ticket.sname),
"The Service principal name in ticket should match expected.");
EncryptionKey key = testConfig.QueryKey(this.testConfig.LocalRealm.ClientComputer.DefaultServiceName, this.testConfig.LocalRealm.RealmName, this.client.Context.SelectedEType);
tgsResponse.DecryptTicket(key);
//tgsResponse.DecryptTicket(this.testConfig.LocalRealm.ClientComputer.Password, this.testConfig.LocalRealm.ClientComputer.ServiceSalt);
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.RealmName.ToLower(),
tgsResponse.TicketEncPart.crealm.Value.ToLower(),
"The realm in ticket encrypted part should match expected.");
BaseTestSite.Assert.AreEqual(this.testConfig.LocalRealm.User[1].Username.ToLower(),
KerberosUtility.PrincipalName2String(tgsResponse.TicketEncPart.cname).ToLower(),
"The client principal name in ticket encrypted part should match expected.");
}
