public override void PreValidate(PreAuthenticationContext preauth) { if (preauth == null) { throw new ArgumentNullException(nameof(preauth)); } var asReq = (KrbKdcReq)preauth.Message; var paPk = asReq.PaData.FirstOrDefault(p => p.Type == PaDataType.PA_PK_AS_REQ); if (paPk == null) { return; } var pkreq = KrbPaPkAsReq.Decode(paPk.Value); var signedCms = new SignedCms(); signedCms.Decode(pkreq.SignedAuthPack.ToArray()); var state = new PkInitState { PkInitRequest = pkreq, Cms = signedCms }; state.ClientCertificate.AddRange(signedCms.Certificates); preauth.PreAuthenticationState[PaDataType.PA_PK_AS_REQ] = state; }
public void ParsePaPkAsReq_SignedAuthPack_ParseAuthPack() { KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq); SignedCms signedCms = new SignedCms(); signedCms.Decode(asreq.SignedAuthPack.ToArray()); signedCms.CheckSignature(verifySignatureOnly: true); KrbAuthPack authPack = KrbAuthPack.Decode(signedCms.ContentInfo.Content); Assert.IsNotNull(authPack); var param = authPack.ClientPublicValue.Algorithm.Parameters.Value; var b64 = Convert.ToBase64String(param.ToArray()); var domainParams = KrbDiffieHellmanDomainParameters.DecodeSpecial(param); Assert.IsNotNull(domainParams); var special = domainParams.EncodeSpecial(); Assert.IsTrue(special.Span.SequenceEqual(param.ToArray())); var decodedPk = CryptEncode.CryptDecodePublicParameter(authPack.ClientPublicValue.SubjectPublicKey).Slice(16); }
public void ParsePaPkAsReq_SignedAuthPack() { KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq); SignedCms signedCms = new SignedCms(); signedCms.Decode(asreq.SignedAuthPack.ToArray()); signedCms.CheckSignature(verifySignatureOnly: true); }
public override async Task <KrbPaData> Validate(KrbKdcReq asReq, PreAuthenticationContext preauth) { var paPk = asReq.PaData.FirstOrDefault(p => p.Type == PaDataType.PA_PK_AS_REQ); if (paPk == null) { return(null); } var pkreq = KrbPaPkAsReq.Decode(paPk.Value); var authPack = await ValidateAuthPack(preauth.Principal, pkreq); ValidateAuthenticator(authPack.PKAuthenticator, asReq.Body); var requestAlg = authPack.ClientPublicValue?.Algorithm?.Algorithm; IKeyAgreement agreement; if (requestAlg?.Value == EllipticCurveDiffieHellman.Value) { agreement = FromEllipticCurveDomainParameters(authPack.ClientPublicValue); } else if (requestAlg?.Value == DiffieHellman.Value) { agreement = await FromDiffieHellmanDomainParametersAsync(authPack.ClientPublicValue); } else { throw OnlyKeyAgreementSupportedException(); } var derivedKey = agreement.GenerateAgreement(); var etype = asReq.Body.EType.First(); var transform = CryptoService.CreateTransform(etype); ReadOnlyMemory <byte> clientDHNonce = authPack.ClientDHNonce.GetValueOrDefault(); ReadOnlyMemory <byte> serverDHNonce = default; if (clientDHNonce.Length > 0) { serverDHNonce = transform.GenerateRandomBytes(agreement.PublicKey.KeyLength); await Service.Principals.CacheKey(agreement.PrivateKey); } var keyInfo = new KrbKdcDHKeyInfo { SubjectPublicKey = agreement.PublicKey.EncodePublicKey() }; if (agreement.PublicKey.CacheExpiry.HasValue) { keyInfo.DHKeyExpiration = agreement.PublicKey.CacheExpiry; keyInfo.Nonce = authPack.PKAuthenticator.Nonce; } var sessionKey = PKInitString2Key.String2Key( derivedKey.Span, transform.KeySize, clientDHNonce.Span, serverDHNonce.Span ); var paPkRep = new KrbPaPkAsRep { DHInfo = new KrbDHReplyInfo { DHSignedData = await SignDHResponseAsync(keyInfo), ServerDHNonce = serverDHNonce } }; preauth.PaData = new[] { new KrbPaData { Type = PaDataType.PA_PK_AS_REP, Value = paPkRep.Encode() } }; preauth.EncryptedPartKey = new KerberosKey(key: sessionKey.ToArray(), etype: etype); return(null); }
public void ParsePaPkAsReq() { KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq); Assert.IsNotNull(asreq); }