internal bool Decrypt(KerberosKeySet keyset, string realm, KerberosPrincipalName server_name, RC4KeyUsage key_usage, out byte[] decrypted)
{
if (EncryptionType == KerberosEncryptionType.ARCFOUR_HMAC_MD5)
{
return(DecryptRC4(keyset, realm, server_name, key_usage, out decrypted));
}
decrypted = null;
return(false);
}
internal bool Decrypt(KerberosKeySet keyset, KeyUsage key_usage, out KerberosTicket ticket)
{
if (this is KerberosTicketDecrypted)
{
ticket = this;
return(true);
}
ticket = null;
if (!EncryptedData.Decrypt(keyset, Realm, ServerName, key_usage, out byte[] decrypted))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (!Ticket.Decrypt(tmp_keys, KerberosKeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KerberosKeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.Keys);
if (!Ticket.Decrypt(tmp_keys, RC4KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, RC4KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData authenticator = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (!Ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
{
ticket = null;
}
if (ticket != null || authenticator != null)
{
var ret = (KerberosTGTReplyAuthenticationToken)MemberwiseClone();
ret.Ticket = ticket ?? ret.Ticket;
return(ret);
}
return(base.Decrypt(keyset));
}
private bool DecryptRC4(KerberosKeySet keyset, string realm, KerberosPrincipalName server_name, RC4KeyUsage key_usage, out byte[] decrypted)
{
KerberosKey key = keyset.FindKey(EncryptionType, server_name.NameType, server_name.GetPrincipal(realm), KeyVersion ?? 0);
if (key != null)
{
if (DecryptRC4WithKey(key, key_usage, out decrypted))
{
return(true);
}
}
foreach (var next in keyset.GetKeysForEncryption(EncryptionType))
{
if (DecryptRC4WithKey(key, key_usage, out decrypted))
{
return(true);
}
}
decrypted = null;
return(false);
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData encdata = null;
KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
List <KerberosTicket> dec_tickets = new List <KerberosTicket>();
bool decrypted_ticket = false;
foreach (var ticket in Tickets)
{
if (ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket dec_ticket))
{
dec_tickets.Add(dec_ticket);
decrypted_ticket = true;
}
else
{
dec_tickets.Add(ticket);
}
}
if (EncryptedPart.Decrypt(tmp_keys, string.Empty, new KerberosPrincipalName(), KeyUsage.KrbCred, out byte[] decrypted))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override AuthenticationToken Decrypt(IEnumerable <AuthenticationKey> keyset)
{
KerberosEncryptedData encrypted_part = null;
KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.OfType <KerberosAuthenticationKey>());
if (EncryptedPart.Decrypt(tmp_keyset, string.Empty, new KerberosPrincipalName(), KerberosKeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
internal void Decrypt(KerberosKeySet keyset)
{
Credentials = (KerberosCredential)Credentials.Decrypt(keyset);
}
internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData orig_data, byte[] decrypted, KerberosKeySet keyset, out KerberosEncryptedData ticket)
{
ticket = null;
try
{
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(2) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosAuthenticator(orig_data);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
if (next.ReadChildInteger() != 5)
{
return(false);
}
break;
case 1:
ret.ClientRealm = next.ReadChildGeneralString();
break;
case 2:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 3:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.Checksum = KerberosChecksum.Parse(next.Children[0]);
break;
case 4:
ret.ClientUSec = next.ReadChildInteger();
break;
case 5:
ret.ClientTime = next.ReadChildGeneralizedTime();
break;
case 6:
if (!next.HasChildren())
{
return(false);
}
ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
break;
case 7:
ret.SequenceNumber = next.ReadChildInteger();
break;
case 8:
if (!next.HasChildren())
{
return(false);
}
ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]);
break;
default:
return(false);
}
}
if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null)
{
KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]);
if (ret.SubKey != null)
{
tmp_keyset.Add(ret.SubKey);
}
gssapi.Decrypt(tmp_keyset);
}
ticket = ret;
}
catch (InvalidDataException)
{
return(false);
}
catch (EndOfStreamException)
{
return(false);
}
return(true);
}
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
{
KerberosEncryptedData encrypted_part = null;
if (EncryptedPart.Decrypt(keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
/// <summary>
/// Decrypt the Authentication Token using a keyset.
/// </summary>
/// <param name="keyset">The set of keys to decrypt the </param>
/// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
public virtual KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
{
return(this);
}
internal static bool Parse(KerberosTicket orig_ticket, byte[] decrypted, KerberosKeySet keyset, out KerberosTicket ticket)
{
ticket = null;
try {
DERValue[] values = DERParser.ParseData(decrypted, 0);
if (values.Length != 1)
{
return(false);
}
DERValue value = values[0];
if (!value.CheckApplication(3) || !value.HasChildren())
{
return(false);
}
if (!value.Children[0].CheckSequence())
{
return(false);
}
var ret = new KerberosTicketDecrypted(orig_ticket);
foreach (var next in value.Children[0].Children)
{
if (next.Type != DERTagType.ContextSpecific)
{
return(false);
}
switch (next.Tag)
{
case 0:
ret.Flags = ConvertTicketFlags(next.ReadChildBitString());
break;
case 1:
if (!next.HasChildren())
{
return(false);
}
ret.Key = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
keyset.Add(ret.Key);
break;
case 2:
ret.ClientRealm = next.ReadChildGeneralString();
break;
case 3:
if (!next.Children[0].CheckSequence())
{
return(false);
}
ret.ClientName = KerberosPrincipalName.Parse(next.Children[0]);
break;
case 4:
if (!next.HasChildren())
{
return(false);
}
ret.TransitedType = KerberosTransitedEncoding.Parse(next.Children[0]);
break;
case 5:
ret.AuthTime = next.ReadChildGeneralizedTime();
break;
case 6:
ret.StartTime = next.ReadChildGeneralizedTime();
break;
case 7:
ret.EndTime = next.ReadChildGeneralizedTime();
break;
case 8:
ret.RenewTill = next.ReadChildGeneralizedTime();
break;
case 9:
if (!next.HasChildren())
{
return(false);
}
ret.HostAddresses = KerberosHostAddress.ParseSequence(next.Children[0]);
break;
case 10:
if (!next.HasChildren())
{
return(false);
}
ret.AuthorizationData = KerberosAuthorizationData.ParseSequence(next.Children[0]);
break;
default:
return(false);
}
}
ticket = ret;
} catch (InvalidDataException) {
return(false);
} catch (EndOfStreamException) {
return(false);
}
return(true);
}
