public DtlsClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
if (clientCredential == null)
{
clientCredential = new CertificateCredential(null);
}
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.DtlsAcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
bStreamSizes = false;
hasMoreFragments = false;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="packageType">Specifies the name of the security package with which these credentials will be used
/// </param>
/// <param name="serverCredential">The credential of server, if null, use default user account.</param>
/// <param name="serverPrincipal">Server principal name</param>
/// <param name="contextAttributes">Bit flags that specify the attributes required by the server to establish
/// the context</param>
/// <param name="targetDataRep">The data representation, such as byte ordering, on the target. This parameter
/// can be either SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.</param>
public SspiServerSecurityContext(
SecurityPackageType packageType,
CertificateCredential serverCredential,
string serverPrincipal,
ServerSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.AcquireCredentialsHandle(
packageType,
serverCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_INBOUND,
out this.credentialHandle);
}
public DtlsServerSecurityContext(
SecurityPackageType packageType,
CertificateCredential serverCredential,
string serverPrincipal,
ServerSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.DtlsAcquireCredentialsHandle(
packageType,
serverCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_INBOUND,
out this.credentialHandle);
bStreamSizes = false;
hasMoreFragments = false;
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="credential">Certificate credential</param>
/// <param name="enabledProtocols">Enabled protocols</param>
internal SchannelCred(CertificateCredential credential, uint enabledProtocols)
{
//There is 1 structures in the paCred array.
const uint CountOfCred = 1;
this.dwVersion = Consts.SCHANNEL_CRED_VERSION;
if (credential != null && credential.Certificate != null)
{
this.cCreds = CountOfCred;
this.paCred = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
Marshal.WriteIntPtr(this.paCred, credential.Certificate.Handle);
}
else
{
this.paCred = IntPtr.Zero;
this.cCreds = 0;
}
this.hRootStore = IntPtr.Zero;
this.cMappers = 0;
this.aphMappers = IntPtr.Zero;
this.cSupportedAlgs = 0;
this.palgSupportedAlgs = IntPtr.Zero;
this.grbitEnabledProtocols = enabledProtocols;
this.dwMinimumCipherStrength = 0;
this.dwMaximumCipherStrength = 0;
this.dwSessionLifespan = 0;
if (credential == null || credential.Certificate == null)
{
this.dwFlags = Consts.SCH_CRED_MANUAL_CRED_VALIDATION | Consts.SCH_CRED_NO_DEFAULT_CREDS;
}
else
{
this.dwFlags = 0;
}
this.dwCredFormat = 0;
}
public SspiClientSecurityContext(
SecurityPackageType packageType,
CertificateCredential clientCredential,
string serverPrincipal,
ClientSecurityContextAttribute contextAttributes,
SecurityTargetDataRepresentation targetDataRep)
{
this.packageType = packageType;
this.serverPrincipalName = serverPrincipal;
this.securityContextAttributes = contextAttributes;
this.targetDataRepresentaion = targetDataRep;
SspiUtility.AcquireCredentialsHandle(
packageType,
clientCredential,
serverPrincipal,
NativeMethods.SECPKG_CRED_OUTBOUND,
out this.credentialHandle);
}
internal static void DtlsAcquireCredentialsHandle(
SecurityPackageType packageType,
CertificateCredential certificateCredential,
string serverPrincipal,
uint fCredentialUse,
out SecurityHandle credentialHandle)
{
string stringPackage = SspiUtility.GetPackageStringName(packageType);
SecurityInteger expiryTime = new SecurityInteger();
uint enabledProtocols;
if (fCredentialUse == NativeMethods.SECPKG_CRED_OUTBOUND)
{
enabledProtocols = NativeMethods.SP_PROT_DTLS_CLIENT;
}
else
{
enabledProtocols = NativeMethods.SP_PROT_DTLS_SERVER;
}
SchannelCred schannelCred = new SchannelCred(certificateCredential, enabledProtocols);
CredSspCred sspCred = new CredSspCred();
IntPtr pAuthData = IntPtr.Zero;
if (packageType == SecurityPackageType.Schannel)
{
pAuthData = SspiUtility.CreateAuthData(schannelCred);
}
else if (packageType == SecurityPackageType.CredSsp)
{
sspCred.pSchannelCred = SspiUtility.CreateAuthData(schannelCred);
sspCred.pSpnegoCred = IntPtr.Zero;
sspCred.Type = CredSspSubmitType.CredsspSubmitBufferBoth;
pAuthData = SspiUtility.CreateAuthData(sspCred);
}
uint result = NativeMethods.AcquireCredentialsHandle(
null,
stringPackage,
fCredentialUse,
IntPtr.Zero,
pAuthData,
IntPtr.Zero,
IntPtr.Zero,
out credentialHandle,
out expiryTime);
//Free memory
SspiUtility.FreeSchannelCred(schannelCred);
if (pAuthData != IntPtr.Zero)
{
if (packageType == SecurityPackageType.CredSsp)
{
Marshal.FreeHGlobal(sspCred.pSchannelCred);
}
Marshal.FreeHGlobal(pAuthData);
}
if (result != NativeMethods.SEC_E_OK)
{
throw new SspiException("AquireCredentialsHandle fails.", result);
}
}
/// <summary>
/// Performs CredSSP authentication.
/// </summary>
/// <param name="x509Cert">The certificate used by TLS.</param>
/// <exception cref="IOException">Raised when attempting to read from/write to the remote connection which
/// has been closed</exception>
/// <exception cref="EndOfStreamException">Raised when the username or password doesn't match or authentication
/// fails</exception>
public void Authenticate(X509Certificate x509Cert)
{
// Authenticated already, do nothing
if (isAuthenticated)
{
return;
}
credential = new CertificateCredential(x509Cert);
byte[] receivedBuffer = new byte[MaxBufferSize];
int bytesReceived = 0;
// Dispose the context as it may be timed out
if (context != null)
{
context.Dispose();
}
context = new SspiServerSecurityContext(
SecurityPackageType.CredSsp,
credential,
serverPrincipal,
attribute,
SecurityTargetDataRepresentation.SecurityNativeDrep);
// Get first token
byte[] token = context.Token;
// Credssp handshake
while (context.NeedContinueProcessing)
{
// Get handshake resopnse
bytesReceived = serverStream.Read(receivedBuffer, 0, receivedBuffer.Length);
// The remote connection has been closed
if (bytesReceived == 0)
{
throw new EndOfStreamException("Authentication failed: remote connection has been closed.");
}
byte[] inToken = new byte[bytesReceived];
Array.Copy(receivedBuffer, inToken, bytesReceived);
// Get next token from response
context.Accept(inToken);
token = context.Token;
if (token != null)
{
// Send handshake request
serverStream.Write(token, 0, token.Length);
}
}
isAuthenticated = true;
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="credential">Certificate credential</param>
/// <param name="enabledProtocols">Enabled protocols</param>
internal SchannelCred(CertificateCredential credential, uint enabledProtocols)
{
//There is 1 structures in the paCred array.
const uint CountOfCred = 1;
this.dwVersion = NativeMethods.SCHANNEL_CRED_VERSION;
if (credential != null && credential.Certificate != null)
{
this.cCreds = CountOfCred;
this.paCred = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(IntPtr)));
Marshal.WriteIntPtr(this.paCred, credential.Certificate.Handle);
}
else
{
this.paCred = IntPtr.Zero;
this.cCreds = 0;
}
this.hRootStore = IntPtr.Zero;
this.cMappers = 0;
this.aphMappers = IntPtr.Zero;
this.cSupportedAlgs = 0;
this.palgSupportedAlgs = IntPtr.Zero;
this.grbitEnabledProtocols = enabledProtocols;
this.dwMinimumCipherStrength = 0;
this.dwMaximumCipherStrength = 0;
this.dwSessionLifespan = 0;
if (credential == null || credential.Certificate == null)
{
this.dwFlags = NativeMethods.SCH_CRED_MANUAL_CRED_VALIDATION | NativeMethods.SCH_CRED_NO_DEFAULT_CREDS;
}
else
{
this.dwFlags = 0;
}
this.dwCredFormat = 0;
}
