示例#1
0
        public void KrbErrorRoundtrip()
        {
            var err = new KrbError
            {
                CName = new KrbPrincipalName {
                    Name = new[] { "krbtgt", "domain.com" }, Type = PrincipalNameType.NT_SRV_HST
                },
                CRealm    = "domain.com",
                CTime     = DateTimeOffset.UtcNow,
                Cusec     = 123,
                EData     = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 },
                ErrorCode = KerberosErrorCode.KRB_ERR_GENERIC,
                EText     = "this is a test of the error roundtrip",
                Realm     = "domain.com",
                SName     = new KrbPrincipalName {
                    Name = new[] { "krbtgt", "domain.com" }, Type = PrincipalNameType.NT_SRV_HST
                },
                STime = DateTimeOffset.UtcNow,
                Susc  = 2345356
            };

            var encoded = err.EncodeApplication();

            var decoded = KrbError.DecodeApplication(encoded);

            Assert.IsNotNull(decoded);

            Assert.AreEqual(err.CRealm, decoded.CRealm);
            Assert.AreEqual(MessageType.KRB_ERROR, decoded.MessageType);
            Assert.AreEqual(5, decoded.ProtocolVersionNumber);

            Assert.AreEqual(err.CTime.ToString(), decoded.CTime.ToString());
            Assert.AreEqual(err.ErrorCode, decoded.ErrorCode);
            Assert.AreEqual(err.Realm, decoded.Realm);
        }
示例#2
0
        public void KrbErrorParseEtypeInfo()
        {
            var krbErrBin = ReadDataFile("messages\\krb-error-preauth-required").Skip(4).ToArray();

            var err = KrbError.DecodeApplication(krbErrBin);

            var preauth = err.DecodePreAuthentication();

            IEnumerable <KrbETypeInfo2Entry> etype = null;

            foreach (var auth in preauth)
            {
                if (auth.Type == PaDataType.PA_ETYPE_INFO2)
                {
                    etype = auth.DecodeETypeInfo2();
                }
            }

            Assert.IsNotNull(etype);

            Assert.AreEqual(2, etype.Count());

            Assert.AreEqual(EncryptionType.AES256_CTS_HMAC_SHA1_96, etype.ElementAt(0).EType);
            Assert.AreEqual(EncryptionType.RC4_HMAC_NT, etype.ElementAt(1).EType);
        }
        private void ProcessKdcProxy(KdcProxyMessage proxyMessage, string source)
        {
            var message = proxyMessage.UnwrapMessage();

            var kdcBody = new
            {
                AsReq    = TryDecode(message, m => KrbAsReq.DecodeApplication(m)),
                AsRep    = TryDecode(message, m => KrbAsRep.DecodeApplication(m)),
                TgsReq   = TryDecode(message, m => KrbTgsReq.DecodeApplication(m)),
                TgsRep   = TryDecode(message, m => KrbTgsRep.DecodeApplication(m)),
                KrbError = TryDecode(message, m => KrbError.DecodeApplication(m))
            };

            if (kdcBody.AsReq != null)
            {
                ExplodeObject(kdcBody.AsReq, $"AS-REQ ({source})");
            }
            else if (kdcBody.AsRep != null)
            {
                ExplodeObject(kdcBody.AsRep, $"AS-REP ({source})");
            }
            else if (kdcBody.TgsReq != null)
            {
                ExplodeObject(kdcBody.TgsReq, $"TGS-REQ ({source})");
            }
            else if (kdcBody.TgsRep != null)
            {
                ExplodeObject(kdcBody.TgsRep, $"TGS-REP ({source})");
            }
            else if (kdcBody.KrbError != null)
            {
                ExplodeObject(kdcBody.KrbError, $"Krb-Error ({source})");
            }
        }
示例#4
0
        public void ErrorPreAuthRoundtrip()
        {
            var krbErrBin = ReadDataFile("messages\\krb-error-preauth-required").Skip(4).ToArray();

            var err = KrbError.DecodeApplication(krbErrBin);

            var bytes = err.EncodeApplication();

            Assert.IsTrue(krbErrBin.SequenceEqual(bytes.ToArray()));
        }
示例#5
0
        public void Message_KrbErrorPreAuth()
        {
            var file = ReadDataFile("messages\\krb-error-preauth-required");

            var decoded = TestSimpleRoundtrip(
                "krb-error-preauth-required",
                file.Skip(4).ToArray(),
                v => KrbError.DecodeApplication(v),
                t => t.EncodeApplication().ToArray()
                );

            Assert.IsNotNull(decoded);
        }
示例#6
0
        public void ResourceManagerFormattedResource()
        {
            var asReq = ReadDataFile("messages\\as-req");

            try
            {
                KrbError.DecodeApplication(asReq);
            }
            catch (Exception ex)
            {
                Assert.IsTrue(ex.Message.Contains("Expected Application-30"));
                throw;
            }
        }
示例#7
0
        protected static T Decode <T>(byte[] response) where T : IAsn1ApplicationEncoder <T>, new()
        {
            if (KrbError.CanDecode(response))
            {
                var error = KrbError.DecodeApplication(response);

                if (error.ErrorCode == KerberosErrorCode.KRB_ERR_RESPONSE_TOO_BIG)
                {
                    throw new KerberosTransportException(error);
                }

                throw new KerberosProtocolException(error);
            }

            return(new T().DecodeAsApplication(response));
        }
示例#8
0
        public async Task KdcTagPeekFailureApplication()
        {
            var kdc = new KdcServer(new KdcServerOptions {
                DefaultRealm = "domain.com", IsDebug = true, Log = new FakeExceptionLoggerFactory()
            });

            var checksum = new KrbChecksum {
            };

            var response = await kdc.ProcessMessage(checksum.Encode());

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
        }
示例#9
0
        public async Task KdcTagPeekFailureUnknownHandler()
        {
            var kdc = new KdcServer(new KdcServerOptions {
                DefaultRealm = "domain.com", IsDebug = true
            });

            var krbCred = new KrbCred {
                Tickets = Array.Empty <KrbTicket>()
            };

            var response = await kdc.ProcessMessage(krbCred.EncodeApplication());

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
            Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
        }
示例#10
0
        public async Task TestKdcTagPeekFailureUnknownHandler()
        {
            var kdc = new KdcServer(new ListenerOptions {
                DefaultRealm = "domain.com", IsDebug = true
            });

            var aprepPart = new KrbEncApRepPart {
            };

            ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());

            var response = await kdc.ProcessMessage(request);

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
            Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
        }
示例#11
0
        public async Task TestKdcTagPeekFailureApplication()
        {
            var kdc = new KdcServer(new ListenerOptions {
                DefaultRealm = "domain.com", IsDebug = true, Log = new ValidatorTests.TestLogger()
            });

            var checksum = new KrbChecksum {
            };

            ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(checksum.Encode().ToArray());

            var response = await kdc.ProcessMessage(request);

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
            Assert.IsTrue(err.EText.Contains("Unknown incoming tag"));
        }
示例#12
0
        public async Task KdcTagPeekFailureNullBuilder()
        {
            var kdc = new KdcServer(new KdcServerOptions {
                DefaultRealm = "domain.com", IsDebug = true
            });

            kdc.RegisterMessageHandler(MessageType.KRB_CRED, (b, o) => null);

            var krbCred = new KrbCred {
                Tickets = Array.Empty <KrbTicket>()
            };

            var response = await kdc.ProcessMessage(krbCred.EncodeApplication());

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
            Assert.IsTrue(err.EText.Contains("Message handler builder KRB_CRED must not return null"));
        }
示例#13
0
        public async Task TestKdcTagPeekFailureNullBuilder()
        {
            var kdc = new KdcServer(new ListenerOptions {
                DefaultRealm = "domain.com", IsDebug = true
            });

            kdc.RegisterMessageHandler((MessageType)27, (b, o) => null);

            var aprepPart = new KrbEncApRepPart {
            };

            ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());

            var response = await kdc.ProcessMessage(request);

            var err = KrbError.DecodeApplication(response);

            Assert.IsNotNull(err);

            Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
            Assert.IsTrue(err.EText.Contains("Message handler builder 27 must not return null"));
        }
示例#14
0
        public async Task ParseKdcProxyMessage()
        {
            var req = KrbAsReq.CreateAsReq(
                new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
                0
                ).EncodeApplication();

            var domain = "corp.identityintervention.com";
            var hint   = DcLocatorHint.DS_AVOID_SELF;

            var messageBytes = new Memory <byte>(new byte[req.Length + 4]);

            Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4));
            req.CopyTo(messageBytes.Slice(4, req.Length));

            var message = new KdcProxyMessage
            {
                TargetDomain  = domain,
                KerbMessage   = messageBytes,
                DcLocatorHint = hint
            };

            var kdc = new KdcServer(new ListenerOptions {
                RealmLocator = LocateFakeRealm
            });

            var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode()));

            Assert.IsTrue(response.Length > 0);
            Assert.IsFalse(KrbError.CanDecode(response));

            var proxy = KdcProxyMessage.Decode(response);

            var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage());

            Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
        }
示例#15
0
        public void TestParseAllMessagesRoundtrip()
        {
            var allMessages = ReadDataFiles("messages\\");

            foreach (var file in allMessages)
            {
                var key = file.Key.Substring(file.Key.LastIndexOf('\\') + 1);

                Debug.WriteLine(file.Value.HexDump());

                switch (key)
                {
                case "as-rep":
                    var asrep = TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => new KrbAsRep().DecodeAsApplication(v),
                        t => t.EncodeApplication().ToArray()
                        );
                    break;

                case "as-req":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbAsReq.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray());
                    break;

                case "as-req-preauth":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbAsReq.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray());
                    break;

                case "krb-error-preauth-required":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbError.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray());
                    break;

                case "tgs-rep-testuser-host-app03":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsRep.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray()
                        );
                    break;

                case "tgs-rep-testuser-host-appservice":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsRep.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray()
                        );
                    break;

                case "tgs-rep-testuser-krbtgt-renew":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsRep.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray()
                        );
                    break;

                case "tgs-req-testuser-host-app03":
                    var thing = TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsReq.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray()
                        );
                    break;

                case "tgs-req-testuser-host-appservice":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsReq.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray());
                    break;

                case "tgs-req-testuser-krbtgt-renew":
                    TestSimpleRoundtrip(
                        key,
                        file.Value.Skip(4).ToArray(),
                        v => KrbTgsReq.DecodeApplication(v),
                        t => t.EncodeApplication().ToArray());
                    break;
                }
            }
        }