/// <summary> /// Applies credential-specific changes to the KDC-REQ message and is what supplies the PKINIT properties to the request. /// </summary> /// <param name="req">The <see cref="KrbKdcReq"/> that will be modified.</param> public override void TransformKdcReq(KrbKdcReq req) { agreement = StartKeyAgreement(); // We don't support the straight RSA mode because // it doesn't rely on ephemeral key agreement // which isn't great security-wise if (agreement == null) { throw OnlyKeyAgreementSupportedException(); } var padata = req.PaData.ToList(); KrbAuthPack authPack; if (SupportsEllipticCurveDiffieHellman) { authPack = CreateEllipticCurveDiffieHellmanAuthPack(req.Body); } else if (SupportsDiffieHellman) { authPack = CreateDiffieHellmanAuthPack(req.Body); } else { throw OnlyKeyAgreementSupportedException(); } KerberosConstants.Now(out authPack.PKAuthenticator.CTime, out authPack.PKAuthenticator.CuSec); SignedCms signed = new SignedCms( new ContentInfo( IdPkInitAuthData, authPack.Encode().ToArray() ) ); var signer = new CmsSigner(Certificate) { IncludeOption = IncludeOption }; signed.ComputeSignature(signer, silent: true); var pk = new KrbPaPkAsReq { SignedAuthPack = signed.Encode() }; padata.Add(new KrbPaData { Type = PaDataType.PA_PK_AS_REQ, Value = pk.Encode() }); req.PaData = padata.ToArray(); }
public override void TransformKdcReq(KrbKdcReq req) { var padata = req.PaData.ToList(); KrbAuthPack authPack; if (SupportsEllipticCurveDiffieHellman) { authPack = CreateEllipticCurveDiffieHellmanAuthPack(req.Body); } else if (SupportsDiffieHellman) { authPack = CreateDiffieHellmanAuthPack(req.Body); } else { throw OnlyKeyAgreementSupportedException(); } KerberosConstants.Now(out authPack.PKAuthenticator.CTime, out authPack.PKAuthenticator.CuSec); SignedCms signed = new SignedCms( new ContentInfo( IdPkInitAuthData, authPack.Encode().ToArray() ) ); var signer = new CmsSigner(Certificate) { IncludeOption = IncludeOption }; signed.ComputeSignature(signer, silent: true); var pk = new KrbPaPkAsReq { SignedAuthPack = signed.Encode() }; padata.Add(new KrbPaData { Type = PaDataType.PA_PK_AS_REQ, Value = pk.Encode() }); req.PaData = padata.ToArray(); }
/// <summary> /// Applies credential-specific changes to the KDC-REQ message and is what supplies the PKINIT properties to the request. /// </summary> /// <param name="req">The <see cref="KrbKdcReq"/> that will be modified.</param> public override void TransformKdcReq(KrbKdcReq req) { if (req == null) { throw new ArgumentNullException(nameof(req)); } this.agreement = this.StartKeyAgreement(); // We don't support the straight RSA mode because // it doesn't rely on ephemeral key agreement // which isn't great security-wise if (this.agreement == null) { throw OnlyKeyAgreementSupportedException(); } var padata = req.PaData.ToList(); KrbAuthPack authPack; if (this.SupportsEllipticCurveDiffieHellman) { authPack = this.CreateEllipticCurveDiffieHellmanAuthPack(req.Body); } else if (this.SupportsDiffieHellman) { authPack = this.CreateDiffieHellmanAuthPack(req.Body); } else { throw OnlyKeyAgreementSupportedException(); } Now(out DateTimeOffset ctime, out int usec); authPack.PKAuthenticator.CTime = ctime; authPack.PKAuthenticator.CuSec = usec; SignedCms signed = new SignedCms( new ContentInfo( IdPkInitAuthData, authPack.Encode().ToArray() ) ); var signer = new CmsSigner(this.Certificate) { IncludeOption = this.IncludeOption }; signed.ComputeSignature(signer, silent: !CanPrompt); var pk = new KrbPaPkAsReq { SignedAuthPack = signed.Encode() }; padata.Add(new KrbPaData { Type = PaDataType.PA_PK_AS_REQ, Value = pk.Encode() }); req.PaData = padata.ToArray(); }