public PA_SVR_REFERRAL_DATA(
     PrincipalName param0,
     Realm param1)
 {
     this.referred_name  = param0;
     this.referred_realm = param1;
 }
Exemplo n.º 2
0
 public KDC_REQ_BODY(
     KDCOptions param0,
     PrincipalName param1,
     Realm param2,
     PrincipalName param3,
     KerberosTime param4,
     KerberosTime param5,
     KerberosTime param6,
     KerbUInt32 param7,
     Asn1SequenceOf <KerbInt32> param8,
     HostAddresses param9,
     EncryptedData param10,
     Asn1SequenceOf <Ticket> param11)
 {
     this.kdc_options            = param0;
     this.cname                  = param1;
     this.realm                  = param2;
     this.sname                  = param3;
     this.from                   = param4;
     this.till                   = param5;
     this.rtime                  = param6;
     this.nonce                  = param7;
     this.etype                  = param8;
     this.addresses              = param9;
     this.enc_authorization_data = param10;
     this.additional_tickets     = param11;
 }
Exemplo n.º 3
0
        private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName, AuthorizationData authData = null)
        {
            KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sName);

            if (authData == null)
            {
                return(kdcReqBody);
            }

            Asn1BerEncodingBuffer asnEncBuffer = new Asn1BerEncodingBuffer();

            authData.BerEncode(asnEncBuffer, true);

            EncryptedData encryptData = new EncryptedData();

            encryptData.etype = new KerbInt32(0);
            byte[] encryptAsnEncoded = asnEncBuffer.Data;
            if (this.Context.SessionKey != null && this.Context.SessionKey.keytype != null && this.Context.SessionKey.keyvalue != null && this.Context.SessionKey.keyvalue.Value != null)
            {
                encryptAsnEncoded = KerberosUtility.Encrypt(
                    (EncryptionType)this.Context.SessionKey.keytype.Value,
                    this.Context.SessionKey.keyvalue.ByteArrayValue,
                    encryptAsnEncoded,
                    (int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData
                    );

                encryptData.etype = new KerbInt32(this.Context.SessionKey.keytype.Value);
            }
            encryptData.cipher = new Asn1OctetString(encryptAsnEncoded);
            kdcReqBody.enc_authorization_data = encryptData;

            return(kdcReqBody);
        }
Exemplo n.º 4
0
        private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ)
        {
            if (string.IsNullOrEmpty(sName))
            {
                throw new ArgumentNullException("sName");
            }
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY          kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();

            kdcReqBody.BerEncode(bodyBuffer);

            ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType);
            PA_DATA      paTgsReq     = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator.

            Asn1SequenceOf <PA_DATA> tempPaData = null;

            if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq });
            }
            else
            {
                PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
                Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
                paDatas[seqPadata.Elements.Length] = paTgsReq;
                tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas);
            }

            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);

            tgsRequest.Request.msg_type.Value = (long)msgType;
            this.client.SendPdu(tgsRequest);
        }
 public EncASRepPart(
     EncryptionKey param0,
     LastReq param1,
     KerbUInt32 param2,
     KerberosTime param3,
     TicketFlags param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     Realm param9,
     PrincipalName param10,
     HostAddresses param11,
     Asn1SequenceOf <PA_DATA> param12)
 {
     this.key            = param0;
     this.last_req       = param1;
     this.nonce          = param2;
     this.key_expiration = param3;
     this.flags          = param4;
     this.authtime       = param5;
     this.starttime      = param6;
     this.endtime        = param7;
     this.renew_till     = param8;
     this.srealm         = param9;
     this.sname          = param10;
     this.caddr          = param11;
     this.pa_datas       = param12;
 }
 public KrbCredInfo(
     EncryptionKey param0,
     Realm param1,
     PrincipalName param2,
     TicketFlags param3,
     KerberosTime param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     Realm param8,
     PrincipalName param9,
     HostAddresses param10)
 {
     this.key = param0;
     this.prealm = param1;
     this.pname = param2;
     this.flags = param3;
     this.authtime = param4;
     this.starttime = param5;
     this.endtime = param6;
     this.renew_till = param7;
     this.srealm = param8;
     this.sname = param9;
     this.caddr = param10;
 }
 public EncTicketPart(
     TicketFlags param0,
     EncryptionKey param1,
     Realm param2,
     PrincipalName param3,
     TransitedEncoding param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     HostAddresses param9,
     AuthorizationData param10)
 {
     this.flags              = param0;
     this.key                = param1;
     this.crealm             = param2;
     this.cname              = param3;
     this.transited          = param4;
     this.authtime           = param5;
     this.starttime          = param6;
     this.endtime            = param7;
     this.renew_till         = param8;
     this.caddr              = param9;
     this.authorization_data = param10;
 }
 public EncTicketPart(
     TicketFlags param0,
     EncryptionKey param1,
     Realm param2,
     PrincipalName param3,
     TransitedEncoding param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     HostAddresses param9,
     AuthorizationData param10)
 {
     this.flags = param0;
     this.key = param1;
     this.crealm = param2;
     this.cname = param3;
     this.transited = param4;
     this.authtime = param5;
     this.starttime = param6;
     this.endtime = param7;
     this.renew_till = param8;
     this.caddr = param9;
     this.authorization_data = param10;
 }
 public KDC_REQ_BODY(
     KDCOptions param0,
     PrincipalName param1,
     Realm param2,
     PrincipalName param3,
     KerberosTime param4,
     KerberosTime param5,
     KerberosTime param6,
     KerbUInt32 param7,
     Asn1SequenceOf<KerbInt32> param8,
     HostAddresses param9,
     EncryptedData param10,
     Asn1SequenceOf<Ticket> param11)
 {
     this.kdc_options = param0;
     this.cname = param1;
     this.realm = param2;
     this.sname = param3;
     this.from = param4;
     this.till = param5;
     this.rtime = param6;
     this.nonce = param7;
     this.etype = param8;
     this.addresses = param9;
     this.enc_authorization_data = param10;
     this.additional_tickets = param11;
 }
Exemplo n.º 10
0
 public KrbCredInfo(
     EncryptionKey param0,
     Realm param1,
     PrincipalName param2,
     TicketFlags param3,
     KerberosTime param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     Realm param8,
     PrincipalName param9,
     HostAddresses param10)
 {
     this.key        = param0;
     this.prealm     = param1;
     this.pname      = param2;
     this.flags      = param3;
     this.authtime   = param4;
     this.starttime  = param5;
     this.endtime    = param6;
     this.renew_till = param7;
     this.srealm     = param8;
     this.sname      = param9;
     this.caddr      = param10;
 }
 public PA_SVR_REFERRAL_DATA(
     PrincipalName param0,
     Realm param1)
 {
     this.referred_name = param0;
     this.referred_realm = param1;
 }
 public EncASRepPart(
     EncryptionKey param0,
     LastReq param1,
     KerbUInt32 param2,
     KerberosTime param3,
     TicketFlags param4,
     KerberosTime param5,
     KerberosTime param6,
     KerberosTime param7,
     KerberosTime param8,
     Realm param9,
     PrincipalName param10,
     HostAddresses param11,
     Asn1SequenceOf<PA_DATA> param12)
 {
     this.key = param0;
     this.last_req = param1;
     this.nonce = param2;
     this.key_expiration = param3;
     this.flags = param4;
     this.authtime = param5;
     this.starttime = param6;
     this.endtime = param7;
     this.renew_till = param8;
     this.srealm = param9;
     this.sname = param10;
     this.caddr = param11;
     this.pa_datas = param12;
 }
 public KRB_ERROR(
     Asn1Integer param0,
     Asn1Integer param1,
     KerberosTime param2,
     Microseconds param3,
     KerberosTime param4,
     Microseconds param5,
     KerbInt32 param6,
     Realm param7,
     PrincipalName param8,
     Realm param9,
     PrincipalName param10,
     KerberosString param11,
     Asn1OctetString param12)
 {
     this.pvno = param0;
     this.msg_type = param1;
     this.ctime = param2;
     this.cusec = param3;
     this.stime = param4;
     this.susec = param5;
     this.error_code = param6;
     this.crealm = param7;
     this.cname = param8;
     this.realm = param9;
     this.sname = param10;
     this.e_text = param11;
     this.e_data = param12;
 }
Exemplo n.º 14
0
 public KRB_ERROR(
     Asn1Integer param0,
     Asn1Integer param1,
     KerberosTime param2,
     Microseconds param3,
     KerberosTime param4,
     Microseconds param5,
     KerbInt32 param6,
     Realm param7,
     PrincipalName param8,
     Realm param9,
     PrincipalName param10,
     KerberosString param11,
     Asn1OctetString param12)
 {
     this.pvno       = param0;
     this.msg_type   = param1;
     this.ctime      = param2;
     this.cusec      = param3;
     this.stime      = param4;
     this.susec      = param5;
     this.error_code = param6;
     this.crealm     = param7;
     this.cname      = param8;
     this.realm      = param9;
     this.sname      = param10;
     this.e_text     = param11;
     this.e_data     = param12;
 }
        /// <summary>
        /// Create context
        /// </summary>
        /// <param name="domain">Domain name</param>
        /// <param name="cName">Principal name</param>
        /// <param name="password">Password of principal</param>
        /// <param name="accountType">Accoundtype, user or device</param>
        public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null)
            : this()
        {
            if (domain == null)
            {
                throw new ArgumentNullException("domain");
            }
            if (cName == null)
            {
                throw new ArgumentNullException("cName");
            }
            if (password == null)
            {
                throw new ArgumentNullException("password");
            }

            this.Realm = new Realm(domain);
            PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
            if (null == salt)
            {
                if (accountType == KerberosAccountType.User)
                    salt = KerberosUtility.GenerateSalt(domain, cName, accountType);

                else if (accountType == KerberosAccountType.Device)
                    salt = KerberosUtility.GenerateSalt(domain, cName, accountType);

                else
                {
                    throw new ArgumentOutOfRangeException("Account type not support");
                }
            }

            this.CName = new Principal(accountType, this.Realm, name, password, salt);
        }
Exemplo n.º 16
0
 /// <summary>
 /// Constructor
 /// </summary>
 /// <param name="type">Type of Principal</param>
 /// <param name="name">Principal name</param>
 /// <param name="password">Password of principal</param>
 /// <param name="salt">Salt of principal</param>
 public Principal(KerberosAccountType type, string realm, string name, string password, string salt)
 {
     Type     = type;
     Realm    = new Realm(realm);
     Name     = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name));
     Password = password;
     Salt     = salt;
 }
Exemplo n.º 17
0
 /// <summary>
 /// Constructor
 /// </summary>
 /// <param name="type">Type of Principal</param>
 /// <param name="name">Principal name</param>
 /// <param name="password">Password of principal</param>
 public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt)
 {
     Type     = type;
     Realm    = realm;
     Name     = name;
     Password = password;
     Salt     = salt;
 }
 public ChangePasswdData(
     Asn1OctetString param0,
     PrincipalName param1,
     Realm param2)
 {
     this.newpasswd = param0;
     this.targname  = param1;
     this.targrealm = param2;
 }
 public ChangePasswdData(
     Asn1OctetString param0,
     PrincipalName param1,
     Realm param2)
 {
     this.newpasswd = param0;
     this.targname = param1;
     this.targrealm = param2;
 }
Exemplo n.º 20
0
 public AD_KDCIssued(
     Checksum param0,
     Realm param1,
     PrincipalName param2,
     AuthorizationData param3)
 {
     this.ad_checksum = param0;
     this.i_realm     = param1;
     this.i_sname     = param2;
     this.elements    = param3;
 }
 public Ticket(
     Asn1Integer param0,
     Realm param1,
     PrincipalName param2,
     EncryptedData param3)
 {
     this.tkt_vno = param0;
     this.realm = param1;
     this.sname = param2;
     this.enc_part = param3;
 }
 public AD_KDCIssued(
     Checksum param0,
     Realm param1,
     PrincipalName param2,
     AuthorizationData param3)
 {
     this.ad_checksum = param0;
     this.i_realm = param1;
     this.i_sname = param2;
     this.elements = param3;
 }
Exemplo n.º 23
0
 public Ticket(
     Asn1Integer param0,
     Realm param1,
     PrincipalName param2,
     EncryptedData param3)
 {
     this.tkt_vno  = param0;
     this.realm    = param1;
     this.sname    = param2;
     this.enc_part = param3;
 }
 public KrbFastFinished(
     KerberosTime param0,
     Microseconds param1,
     Realm param2,
     PrincipalName param3,
     Checksum param4)
 {
     this.timestamp = param0;
     this.usec = param1;
     this.crealm = param2;
     this.cname = param3;
     this.ticket_checksum = param4;
 }
Exemplo n.º 25
0
        private KerberosAsRequest SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPaData)
        {
            string        sName  = KerberosConstValue.KERBEROS_SNAME;
            string        domain = this.Context.Realm.Value;
            PrincipalName sname  =
                new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));

            KDC_REQ_BODY      kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
            KerberosAsRequest asRequest  = this.CreateAsRequest(kdcReqBody, seqPaData);

            this.client.SendPdu(asRequest);
            return(asRequest);
        }
        public static string PrincipalName2String(PrincipalName name)
        {
            StringBuilder sb = new StringBuilder();

            for (int i = 0; i < name.name_string.Elements.Length; i++)
            {
                sb.Append(name.name_string.Elements[i]);
                if (i != name.name_string.Elements.Length - 1)
                {
                    sb.Append("/");
                }
            }

            return(sb.ToString());
        }
Exemplo n.º 27
0
        private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName)
        {
            KerbUInt32    nonce     = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks));
            KerberosTime  till      = new KerberosTime(KerberosConstValue.TGT_TILL_TIME);
            KerberosTime  rtime     = new KerberosTime(KerberosConstValue.TGT_RTIME);
            HostAddresses addresses =
                new HostAddresses(new HostAddress[1] {
                new HostAddress(new KerbInt32((int)AddressType.NetBios),
                                new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())))
            });

            KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions));

            KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, null, till, rtime, nonce, Context.SupportedEType, addresses, null, null);

            return(kdcReqBody);
        }
Exemplo n.º 28
0
 public AS_REP(
     Asn1Integer param0,
     Asn1Integer param1,
     Asn1SequenceOf <PA_DATA> param2,
     Realm param3,
     PrincipalName param4,
     Ticket param5,
     EncryptedData param6)
 {
     this.pvno     = param0;
     this.msg_type = param1;
     this.padata   = param2;
     this.crealm   = param3;
     this.cname    = param4;
     this.ticket   = param5;
     this.enc_part = param6;
 }
 public AS_REP(
     Asn1Integer param0,
     Asn1Integer param1,
     Asn1SequenceOf<PA_DATA> param2,
     Realm param3,
     PrincipalName param4,
     Ticket param5,
     EncryptedData param6)
 {
     this.pvno = param0;
     this.msg_type = param1;
     this.padata = param2;
     this.crealm = param3;
     this.cname = param4;
     this.ticket = param5;
     this.enc_part = param6;
 }
 public Authenticator(
     Asn1Integer param0,
     Realm param1,
     PrincipalName param2,
     Checksum param3,
     Microseconds param4,
     KerberosTime param5,
     EncryptionKey param6,
     KerbUInt32 param7,
     AuthorizationData param8)
 {
     this.authenticator_vno = param0;
     this.crealm = param1;
     this.cname = param2;
     this.cksum = param3;
     this.cusec = param4;
     this.ctime = param5;
     this.subkey = param6;
     this.seq_number = param7;
     this.authorization_data = param8;
 }
 public Authenticator(
  Asn1Integer param0,
  Realm param1,
  PrincipalName param2,
  Checksum param3,
  Microseconds param4,
  KerberosTime param5,
  EncryptionKey param6,
  KerbUInt32 param7,
  AuthorizationData param8)
 {
     this.authenticator_vno = param0;
     this.crealm = param1;
     this.cname = param2;
     this.cksum = param3;
     this.cusec = param4;
     this.ctime = param5;
     this.subkey = param6;
     this.seq_number = param7;
     this.authorization_data = param8;
 }
        /// <summary>
        /// Create context
        /// </summary>
        /// <param name="domain">Domain name</param>
        /// <param name="cName">Principal name</param>
        /// <param name="password">Password of principal</param>
        /// <param name="accountType">Accoundtype, user or device</param>
        public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null)
            : this()
        {
            if (domain == null)
            {
                throw new ArgumentNullException("domain");
            }
            if (cName == null)
            {
                throw new ArgumentNullException("cName");
            }
            if (password == null)
            {
                throw new ArgumentNullException("password");
            }

            this.Realm = new Realm(domain);
            PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));

            if (null == salt)
            {
                if (accountType == KerberosAccountType.User)
                {
                    salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
                }

                else if (accountType == KerberosAccountType.Device)
                {
                    salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
                }

                else
                {
                    throw new ArgumentOutOfRangeException("Account type not support");
                }
            }

            this.CName = new Principal(accountType, this.Realm, name, password, salt);
        }
        public PaFxFastReq CreateAsPaFxFast(
            EncryptionKey subKey,
            FastOptions fastOptions,
            ApOptions apOptions,
            Asn1SequenceOf<PA_DATA> seqPaData,
            string sName,
            KDC_REQ_BODY kdcReqBody,
            KrbFastArmorType armorType
            )
        {
            string domain = this.Context.Realm.Value;
            PrincipalName sname =
                new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));

            var armorKey = KerberosUtility.MakeArmorKey(
                Context.SelectedEType,
                subKey.keyvalue.ByteArrayValue,
                Context.ArmorSessionKey.keyvalue.ByteArrayValue);
            Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey));

            Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(encodebuf);
            var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            var chksum = KerberosUtility.GetChecksum(
                armorKey,
                encodebuf.Data,
                (int)KeyUsageNumber.FAST_REQ_CHECKSUM,
                checksumType);
            Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));

            Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey);

            KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
                Context.ArmorTicket,
                plaintextAuthenticator,
                KeyUsageNumber.AP_REQ_Authenticator);

            KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
            KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
            FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request);
            fastArmor.armorType = armorType;
            KerberosArmoredRequest armoredReq
                = new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq);
            PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
            paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
            PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
            return paFxfast;
        }
 /// <summary>
 /// Constructor
 /// </summary>
 /// <param name="type">Type of Principal</param>
 /// <param name="name">Principal name</param>
 /// <param name="password">Password of principal</param>
 /// <param name="salt">Salt of principal</param>
 public Principal(KerberosAccountType type, string realm, string name, string password, string salt)
 {
     Type = type;
     Realm = new Realm(realm);
     Name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name));
     Password = password;
     Salt = salt;
 }
 /// <summary>
 /// Create a Kerberos ticket
 /// </summary>
 /// <param name="ticket">Ticket</param>
 /// <param name="ticketOwner">Owner of ticket</param>
 /// <param name="sessionKey">Session key in ticket</param>
 public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
 {
     this.Ticket = ticket;
     this.TicketOwner = ticketOwner;
     this.SessionKey = sessionKey;
 }
        /// <summary>
        /// Create and send AS request for Password change
        /// </summary>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="seqPaData">A sequence of preauthentication data</param>
        public void SendAsRequestForPwdChange(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData)
        {
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(KerberosConstValue.KERBEROS_KADMIN_SNAME.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
            KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
            this.SendPdu(asRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request for password change.");
        }
 /// <summary>
 /// Create and send FAST AS request with an unknown armor type
 /// </summary>
 /// <param name="kdcOptions">KDC options</param>
 /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
 /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
 /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
 /// <param name="fastOptions">FAST options</param>
 /// <param name="apOptions">AP options in FAST armor field</param>
 /// <param name="armorType">armorType</param>
 public void SendAsRequestWithFast(
     KdcOptions kdcOptions,
     Asn1SequenceOf<PA_DATA> innerSeqPaData,
     Asn1SequenceOf<PA_DATA> outerSeqPaData,
     EncryptionKey subKey,
     FastOptions fastOptions,
     ApOptions apOptions,
     KrbFastArmorType armorType
     )
 {
     Context.Subkey = subKey;
     string sName = KerberosConstValue.KERBEROS_SNAME;
     string domain = this.Context.Realm.Value;
     PrincipalName sname =
         new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
     KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
     var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType);
     PA_DATA[] elements;
     if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
     {
         elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
         Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
         elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
     }
     else
     {
         elements = new PA_DATA[] { pafxfast.Data };
     }
     Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
     KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
     this.SendPdu(asRequest);
     this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
 }
Exemplo n.º 38
0
 /// <summary>
 /// Create a Kerberos ticket
 /// </summary>
 /// <param name="ticket">Ticket</param>
 /// <param name="ticketOwner">Owner of ticket</param>
 /// <param name="sessionKey">Session key in ticket</param>
 public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
 {
     this.Ticket      = ticket;
     this.TicketOwner = ticketOwner;
     this.SessionKey  = sessionKey;
 }
 /// <summary>
 /// Create and send FAST AS request
 /// </summary>
 /// <param name="kdcOptions">KDC options</param>
 /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
 /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
 /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
 /// <param name="fastOptions">FAST options</param>
 /// <param name="apOptions">AP options in FAST armor field</param>
 public void SendAsRequestWithFastHideCName(
     KdcOptions kdcOptions,
     string cName,
     Asn1SequenceOf<PA_DATA> innerSeqPaData,
     Asn1SequenceOf<PA_DATA> outerSeqPaData,
     EncryptionKey subKey,
     ApOptions apOptions)
 {
     var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
         KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
     Context.Subkey = subKey;
     string sName = KerberosConstValue.KERBEROS_SNAME;
     string domain = this.Context.Realm.Value;
     PrincipalName sname =
         new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
     KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
     kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
     var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody);
     PA_DATA[] elements;
     if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
     {
         elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
         Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
         elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
     }
     else
     {
         elements = new PA_DATA[] { pafxfast.Data };
     }
     Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
     KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
     this.SendPdu(asRequest);
     this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
 }
        /// <summary>
        /// Create and send TGS request
        /// </summary>
        /// <param name="sName">Service principal name</param>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="seqPadata">A sequence of preauthentication data</param>
        /// <param name="checksumType">Checksum type of PA-TGS-REQ</param>
        /// <param name="additionalTicket">Additional ticket</param>
        /// <param name="data">Authorization data</param>
        public void SendTgsRequest(string sName,
            KdcOptions kdcOptions,
            Asn1SequenceOf<PA_DATA> seqPadata = null,
            Ticket additionalTicket = null,
            AuthorizationData dataInAuthenticator = null,
            AuthorizationData dataInEncAuthData = null)
        {
            if (sName == null)
            {
                throw new ArgumentNullException("sName");
            }
            PrincipalName sname = new PrincipalName(
                new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData);
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(bodyBuffer);

            ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            PA_DATA paTgsReq = CreatePaTgsReq(checksumType, bodyBuffer.Data, dataInAuthenticator);

            Asn1SequenceOf<PA_DATA> tempPaData = null;
            if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq });
            }
            else
            {
                PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
                Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
                paDatas[seqPadata.Elements.Length] = paTgsReq;
                tempPaData = new Asn1SequenceOf<PA_DATA>(paDatas);
            }

            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
            this.SendPdu(tgsRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send TGS request.");
        }
        private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null)
        {
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator");
            Random r = new Random();
            int seqNum = r.Next();

            Authenticator plaintextAuthenticator = new Authenticator
            {
                authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5),
                crealm = realm,
                cusec = new Microseconds(0),
                ctime = KerberosUtility.CurrentKerberosTime,
                seq_number = new KerbUInt32(seqNum),
                cname = cname,
                subkey = subkey,
                authorization_data = data
            };

            AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH };
            checksum.Bnd = new byte[checksum.Lgth];
            checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
            byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
                checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
            plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));

            return plaintextAuthenticator;
        }
        private KDC_REQ_BODY CreateKdcRequestBody(
            KdcOptions kdcOptions,
            PrincipalName sName,
            AuthorizationData data = null
            )
        {
            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sName);

            if (data == null)
                return kdcReqBody;

            Asn1BerEncodingBuffer asnBuffer = new Asn1BerEncodingBuffer();
            // Fix me: NullReferenceException if data is null.
            if (data != null) data.BerEncode(asnBuffer, true);

            EncryptedData eData = new EncryptedData();
            eData.etype = new KerbInt32(0);
            byte[] encAsnEncoded = asnBuffer.Data;
            if (Context.SessionKey != null && Context.SessionKey.keytype != null
                && Context.SessionKey.keyvalue != null && Context.SessionKey.keyvalue.Value != null)
            {
                encAsnEncoded = KerberosUtility.Encrypt((EncryptionType)Context.SessionKey.keytype.Value,
                                                    Context.SessionKey.keyvalue.ByteArrayValue,
                                                    asnBuffer.Data,
                                                    (int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData);
                eData.etype = new KerbInt32(Context.SessionKey.keytype.Value);
            }
            eData.cipher = new Asn1OctetString(encAsnEncoded);
            kdcReqBody.enc_authorization_data = eData;

            return kdcReqBody;
        }
 /// <summary>
 /// Constructor
 /// </summary>
 /// <param name="type">Type of Principal</param>
 /// <param name="name">Principal name</param>
 /// <param name="password">Password of principal</param>
 public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt)
 {
     Type = type;
     Realm = realm;
     Name = name;
     Password = password;
     Salt = salt;
 }
        /// <summary>
        /// Create and send FAST TGS request
        /// </summary>
        /// <param name="sName">Service principal name</param>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
        /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
        /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
        /// <param name="fastOptions">FAST options</param>
        /// <param name="apOptions">AP options in FAST armor field</param>
        /// <param name="data">Authorization data</param>
        public void SendTgsRequestWithExplicitFast(
            string sName,
            KdcOptions kdcOptions,
            Asn1SequenceOf<PA_DATA> innerSeqPaData,
            Asn1SequenceOf<PA_DATA> outerSeqPaData,
            EncryptionKey subKey,
            FastOptions fastOptions,
            ApOptions apOptions,
            AuthorizationData data = null)
        {
            Context.Subkey = subKey;
            Context.ReplyKey = subKey;
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(bodyBuffer);

            //Create PA-TGS-REQ
            APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
            ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            KerberosApRequest apRequest = CreateApRequest(
                option,
                Context.Ticket,
                subKey,
                data,
                KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
                checksumType,
                bodyBuffer.Data);

            PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);

            Asn1SequenceOf<PA_DATA> tempPaData = null;
            if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
            }
            else
            {
                tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
                tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
            }
            //Create explicit FAST armor
            EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
                Context.SelectedEType,
                "Password04!",
                "This is a salt");
            Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
            KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
                Context.ArmorTicket,
                plaintextAuthenticator,
                KeyUsageNumber.AP_REQ_Authenticator);
            FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);

            //Create armor key
            var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
            Context.FastArmorkey = armorKey;

            //Create PA-FX-FAST
            var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);

            PA_DATA[] elements;
            if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
            {
                elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
                elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
                elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
            }
            else
            {
                elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
            }
            Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);

            this.SendPdu(tgsRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
        }
        /// <summary>
        /// Create and send FAST TGS request
        /// </summary>
        /// <param name="sName">Service principal name</param>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
        /// <param name="outerSeqPaData">A sequence of preauthentication data</param>
        /// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
        /// <param name="fastOptions">FAST options</param>
        /// <param name="apOptions">AP options in FAST armor field</param>
        /// <param name="data">Authorization data</param>
        public void SendTgsRequestWithFastHideCName(
            string sName,
            PrincipalName cName,
            KdcOptions kdcOptions,
            Asn1SequenceOf<PA_DATA> innerSeqPaData,
            Asn1SequenceOf<PA_DATA> outerSeqPaData,
            EncryptionKey subKey,
            ApOptions apOptions,
            AuthorizationData data = null)
        {
            var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
                KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
            Context.Subkey = subKey;
            Context.ReplyKey = subKey;
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
            kdcReqBody.cname = cName;
            Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
            kdcReqBody.BerEncode(bodyBuffer);

            APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
            ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            KerberosApRequest apRequest = CreateApRequest(
                option,
                Context.Ticket,
                subKey,
                data,
                KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
                checksumType,
                bodyBuffer.Data);

            PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);

            Asn1SequenceOf<PA_DATA> tempPaData = null;
            if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
            {
                tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
            }
            else
            {
                tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
                tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
            }
            var armorKey = GetArmorKey(Context.SessionKey, subKey);
            var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
            Context.FastArmorkey = armorKey;
            PA_DATA[] elements;
            if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
            {
                elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
                Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
                elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
                elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
            }
            else
            {
                elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
            }
            Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
            KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);

            this.SendPdu(tgsRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
        }
        private void Smb2KerberosAuthentication(CaseVariant variant)
        {
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Initialize Kerberos Functional Client");
            KerberosFunctionalClient kerberosClient = new KerberosFunctionalClient(
                TestConfig.DomainName,
                TestConfig.UserName,
                TestConfig.UserPassword,
                KerberosAccountType.User,
                KDCIP,
                KDCPort,
                TransportType.TCP,
                OidPkt,
                BaseTestSite);

            #region Service Ticket
            EncryptionKey serviceKey;
            EncTicketPart encTicketPart = RetrieveAndDecryptServiceTicket(kerberosClient, out serviceKey);

            Ticket serviceTicket = kerberosClient.Context.Ticket.Ticket;

            Realm crealm = serviceTicket.realm;
            BaseTestSite.Assert.AreEqual(TestConfig.DomainName.ToLower(),
                encTicketPart.crealm.Value.ToLower(),
                "Realm name in service ticket encrypted part should match as expected, case insensitive");
            BaseTestSite.Assert.AreEqual(TestConfig.UserName.ToLower(),
                KerberosUtility.PrincipalName2String(encTicketPart.cname).ToLower(),
                "User name in service ticket encrypted part should match as expected, case insensitive.");

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the ticket");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElement);
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the ticket");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                AD_IF_RELEVANT ifRelavantElement =
                    new AD_IF_RELEVANT(new[] { unknownElement });
                var dataBuffer = new Asn1BerEncodingBuffer();
                ifRelavantElement.BerEncode(dataBuffer);
                AuthorizationDataElement unknownElementOptional =
                    new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
                AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElementOptional);
            }

            if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket start time to tomorrow");
                DateTime tomorrow = DateTime.Now.AddDays(1);
                string kerbTimeString = tomorrow.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                encTicketPart.starttime = new KerberosTime(kerbTimeString, true);
            }
            if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket end time to yesterday");
                DateTime yesterday = DateTime.Now.AddDays(-1);
                string kerbTimeString = yesterday.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                encTicketPart.endtime = new KerberosTime(kerbTimeString, true);
            }

            if (variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Modify the Ticket, making it encrypted with wrong key");
                serviceKey = KerberosUtility.GenerateKey(serviceKey);
            }

            EncryptedData data = EncryptTicket(encTicketPart, serviceKey);
            serviceTicket.enc_part = data;

            if (variant.HasFlag(CaseVariant.TICKET_WRONG_REALM))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Realm in the Ticket to an unknown realm");
                serviceTicket.realm = new Realm("kerb.com");
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the SNAME in the Ticket to an unknown service name");
                serviceTicket.sname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_SRV_INST),
                    KerberosUtility.String2SeqKerbString("UnknownService", TestConfig.DomainName));
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep,
                    "Change the KVNO in the Ticket to an invalid Key Version Number (Int32.MaxValue)");
                const int invalidKvno = System.Int32.MaxValue;
                serviceTicket.enc_part.kvno = new KerbInt32(invalidKvno);
            }
            #endregion

            #region Authenticator
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create Authenticator");
            EncryptionKey subkey = KerberosUtility.GenerateKey(kerberosClient.Context.SessionKey);
            PrincipalName cname;
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong cname in the Authenticator");
                cname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_PRINCIPAL),
                    KerberosUtility.String2SeqKerbString(TestConfig.NonAdminUserName, TestConfig.DomainName));
            }
            else
            {
                cname = kerberosClient.Context.CName.Name;
            }

            Authenticator authenticator = CreateAuthenticator(cname, crealm, subkey);
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong crealm in the Authenticator");
                authenticator.crealm = new Realm("kerb.com");
            }

            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the ctime in the Authenticator to one hour later");
                DateTime oneHourLater = DateTime.Now.AddHours(1);
                string kerbTimeString = oneHourLater.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                authenticator.ctime = new KerberosTime(kerbTimeString, true);
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the Authenticator");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                authenticator.authorization_data = new AuthorizationData(new[] { unknownElement });
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep,
                    "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the Authenticator");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                AD_IF_RELEVANT ifRelavantElement =
                    new AD_IF_RELEVANT(new[] { unknownElement });
                var dataBuffer = new Asn1BerEncodingBuffer();
                ifRelavantElement.BerEncode(dataBuffer);
                AuthorizationDataElement unknownElementOptional =
                    new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
                authenticator.authorization_data = new AuthorizationData(new[] { unknownElementOptional });
            }

            #endregion

            #region AP Request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create AP Request");
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong key to encrypt the Authenticator");
                kerberosClient.Context.Ticket.SessionKey = KerberosUtility.GenerateKey(kerberosClient.Context.Ticket.SessionKey);
            }
            KerberosApRequest request = new KerberosApRequest(
                kerberosClient.Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.MutualRequired)),
                kerberosClient.Context.Ticket,
                authenticator,
                KeyUsageNumber.AP_REQ_Authenticator
            );
            #endregion

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create GSS Token");
            byte[] token = KerberosUtility.AddGssApiTokenHeader(request, OidPkt, GssToken);

            Smb2FunctionalClientForKerbAuth smb2Client = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite);
            smb2Client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);

            #region Check the result

            byte[] repToken;
            uint status = DoSessionSetupWithGssToken(smb2Client, token, out repToken);

            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH) || variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because the cname or crealm in the authenticator does not match the same field in the Ticket");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH, krbError.ErrorCode,
                        "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY) || variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because Ticket or Authenticator cannot be correctly decrypted");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED, krbError.ErrorCode,
                        "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because the server time and the client time " +
                    "in the Authenticator differ by (1 hour) more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_SKEW, krbError.ErrorCode,
                        "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_SKEW);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO) ||
                variant.HasFlag(CaseVariant.TICKET_WRONG_REALM) ||
                variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "If decryption fails, server would try other keys");
            }
            if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because the starttime (tomorrow) in the Ticket " +
                    "is later than the current time by more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV, krbError.ErrorCode,
                        "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because the current time is later than the endtime (yesterday)" +
                    " in the Ticket by more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED, krbError.ErrorCode,
                        "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                    "Session Setup should fail because of the unknown AutherizationData in the ticket");
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment,
                    "Unknown AuthorizationData in the Authenticator should not fail the request");
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL) ||
                variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "Unknown AuthorizationData in AD_IF_RELEVANT is optional. " +
                                                           "Server should not fail the request.");
            }

            KerberosApResponse apRep = kerberosClient.GetApResponseFromToken(repToken, GssToken);
            // Get subkey from AP response, which used for signing in smb2
            apRep.Decrypt(kerberosClient.Context.Ticket.SessionKey.keyvalue.ByteArrayValue);
            smb2Client.SetSessionSigningAndEncryption(true, false, apRep.ApEncPart.subkey.keyvalue.ByteArrayValue);

            string path = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare);
            AccessFile(smb2Client, path);
            #endregion

            smb2Client.LogOff();
            smb2Client.Disconnect();
        }
        private KDC_REQ_BODY CreateKdcRequestBody(
            KdcOptions kdcOptions,
            PrincipalName sName,
            KerberosTime from,
            KerberosTime till
            )
        {
            KerbUInt32 nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks));
            KerberosTime rtime = new KerberosTime(KerberosConstValue.TGT_RTIME);
            HostAddresses addresses =
                new HostAddresses(new HostAddress[1] { new HostAddress(new KerbInt32((int)AddressType.NetBios),
                    new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName()))) });

            KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions));

            KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, from, till, rtime, nonce, Context.SupportedEType, addresses, null, null);
            return kdcReqBody;
        }
        public PaFxFastReq CreateTgsPaFxFast(
            EncryptionKey armorKey,
            KerberosTicket armorTicket,
            FastOptions fastOptions,
            ApOptions apOptions,
            Asn1SequenceOf<PA_DATA> seqPaData,
            string sName,
            byte[] apReq,
            IFastArmor armor = null
            )
        {
            string domain = this.Context.Realm.Value;
            PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
                KerberosUtility.String2SeqKerbString(sName.Split('/')));

            KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);

            //Generate checksum
            var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
            var chksum = KerberosUtility.GetChecksum(
                armorKey.keyvalue.ByteArrayValue,
                apReq,
                (int)KeyUsageNumber.FAST_REQ_CHECKSUM,
                checksumType);
            Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));

            KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
            KerberosArmoredRequest armoredReq
                = new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq);
            PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
            paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
            PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
            return paFxfast;
        }
        /// <summary>
        /// Create and send AS request
        /// </summary>
        /// <param name="kdcOptions">KDC options</param>
        /// <param name="seqPaData">A sequence of preauthentication data</param>
        public void SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData, KerberosTime from, KerberosTime till)
        {
            string sName = KerberosConstValue.KERBEROS_SNAME;
            string domain = this.Context.Realm.Value;
            PrincipalName sname =
                new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));

            KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, from, till);
            KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
            this.SendPdu(asRequest);
            this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request.");
        }