internal bool Decrypt(KerberosKeySet keyset, string realm, KerberosPrincipalName server_name, RC4KeyUsage key_usage, out byte[] decrypted) { if (EncryptionType == KerberosEncryptionType.ARCFOUR_HMAC_MD5) { return(DecryptRC4(keyset, realm, server_name, key_usage, out decrypted)); } decrypted = null; return(false); }
internal bool Decrypt(KerberosKeySet keyset, KeyUsage key_usage, out KerberosTicket ticket) { if (this is KerberosTicketDecrypted) { ticket = this; return(true); } ticket = null; if (!EncryptedData.Decrypt(keyset, Realm, ServerName, key_usage, out byte[] decrypted))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (!Ticket.Decrypt(tmp_keys, KerberosKeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KerberosKeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.Keys); if (!Ticket.Decrypt(tmp_keys, RC4KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, RC4KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData authenticator = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (!Ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket)) { ticket = null; } if (ticket != null || authenticator != null) { var ret = (KerberosTGTReplyAuthenticationToken)MemberwiseClone(); ret.Ticket = ticket ?? ret.Ticket; return(ret); } return(base.Decrypt(keyset)); }
private bool DecryptRC4(KerberosKeySet keyset, string realm, KerberosPrincipalName server_name, RC4KeyUsage key_usage, out byte[] decrypted) { KerberosKey key = keyset.FindKey(EncryptionType, server_name.NameType, server_name.GetPrincipal(realm), KeyVersion ?? 0); if (key != null) { if (DecryptRC4WithKey(key, key_usage, out decrypted)) { return(true); } } foreach (var next in keyset.GetKeysForEncryption(EncryptionType)) { if (DecryptRC4WithKey(key, key_usage, out decrypted)) { return(true); } } decrypted = null; return(false); }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData encdata = null; KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); List <KerberosTicket> dec_tickets = new List <KerberosTicket>(); bool decrypted_ticket = false; foreach (var ticket in Tickets) { if (ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket dec_ticket)) { dec_tickets.Add(dec_ticket); decrypted_ticket = true; } else { dec_tickets.Add(ticket); } } if (EncryptedPart.Decrypt(tmp_keys, string.Empty, new KerberosPrincipalName(), KeyUsage.KrbCred, out byte[] decrypted))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset) { KerberosEncryptedData encrypted_part = null; KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>()); if (EncryptedPart.Decrypt(tmp_keyset, string.Empty, new KerberosPrincipalName(), KerberosKeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
internal void Decrypt(KerberosKeySet keyset) { Credentials = (KerberosCredential)Credentials.Decrypt(keyset); }
internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket) { ticket = null; try { DERValue[] values = DERParser.ParseData(decrypted, 0); if (values.Length != 1) { return(false); } DERValue value = values[0]; if (!value.CheckApplication(2) || !value.HasChildren()) { return(false); } if (!value.Children[0].CheckSequence()) { return(false); } var ret = new KerberosAuthenticator(orig_data); foreach (var next in value.Children[0].Children) { if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: if (next.ReadChildInteger() != 5) { return(false); } break; case 1: ret.ClientRealm = next.ReadChildGeneralString(); break; case 2: if (!next.Children[0].CheckSequence()) { return(false); } ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]); break; case 3: if (!next.Children[0].CheckSequence()) { return(false); } ret.Checksum = KerberosChecksum.Parse(next.Children[0]); break; case 4: ret.ClientUSec = next.ReadChildInteger(); break; case 5: ret.ClientTime = next.ReadChildGeneralizedTime(); break; case 6: if (!next.HasChildren()) { return(false); } ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName); break; case 7: ret.SequenceNumber = next.ReadChildInteger(); break; case 8: if (!next.HasChildren()) { return(false); } ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]); break; default: return(false); } } if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null) { KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]); if (ret.SubKey != null) { tmp_keyset.Add(ret.SubKey); } gssapi.Decrypt(tmp_keyset); } ticket = ret; } catch (InvalidDataException) { return(false); } catch (EndOfStreamException) { return(false); } return(true); }
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset) { KerberosEncryptedData encrypted_part = null; if (EncryptedPart.Decrypt(keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
/// <summary> /// Decrypt the Authentication Token using a keyset. /// </summary> /// <param name="keyset">The set of keys to decrypt the </param> /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns> public virtual KerberosAuthenticationToken Decrypt(KerberosKeySet keyset) { return(this); }
internal static bool Parse(KerberosTicket orig_ticket, byte[] decrypted, KerberosKeySet keyset, out KerberosTicket ticket) { ticket = null; try { DERValue[] values = DERParser.ParseData(decrypted, 0); if (values.Length != 1) { return(false); } DERValue value = values[0]; if (!value.CheckApplication(3) || !value.HasChildren()) { return(false); } if (!value.Children[0].CheckSequence()) { return(false); } var ret = new KerberosTicketDecrypted(orig_ticket); foreach (var next in value.Children[0].Children) { if (next.Type != DERTagType.ContextSpecific) { return(false); } switch (next.Tag) { case 0: ret.Flags = ConvertTicketFlags(next.ReadChildBitString()); break; case 1: if (!next.HasChildren()) { return(false); } ret.Key = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName); keyset.Add(ret.Key); break; case 2: ret.ClientRealm = next.ReadChildGeneralString(); break; case 3: if (!next.Children[0].CheckSequence()) { return(false); } ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]); break; case 4: if (!next.HasChildren()) { return(false); } ret.TransitedType = KerberosTransitedEncoding.Parse(next.Children[0]); break; case 5: ret.AuthTime = next.ReadChildGeneralizedTime(); break; case 6: ret.StartTime = next.ReadChildGeneralizedTime(); break; case 7: ret.EndTime = next.ReadChildGeneralizedTime(); break; case 8: ret.RenewTill = next.ReadChildGeneralizedTime(); break; case 9: if (!next.HasChildren()) { return(false); } ret.HostAddresses = KerberosHostAddress.ParseSequence(next.Children[0]); break; case 10: if (!next.HasChildren()) { return(false); } ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]); break; default: return(false); } } ticket = ret; } catch (InvalidDataException) { return(false); } catch (EndOfStreamException) { return(false); } return(true); }