public override void PreValidate(PreAuthenticationContext preauth)
{
if (preauth == null)
{
throw new ArgumentNullException(nameof(preauth));
}
var asReq = (KrbKdcReq)preauth.Message;
var paPk = asReq.PaData.FirstOrDefault(p => p.Type == PaDataType.PA_PK_AS_REQ);
if (paPk == null)
{
return;
}
var pkreq = KrbPaPkAsReq.Decode(paPk.Value);
var signedCms = new SignedCms();
signedCms.Decode(pkreq.SignedAuthPack.ToArray());
var state = new PkInitState
{
PkInitRequest = pkreq,
Cms = signedCms
};
state.ClientCertificate.AddRange(signedCms.Certificates);
preauth.PreAuthenticationState[PaDataType.PA_PK_AS_REQ] = state;
}
public void ParsePaPkAsReq_SignedAuthPack_ParseAuthPack()
{
KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq);
SignedCms signedCms = new SignedCms();
signedCms.Decode(asreq.SignedAuthPack.ToArray());
signedCms.CheckSignature(verifySignatureOnly: true);
KrbAuthPack authPack = KrbAuthPack.Decode(signedCms.ContentInfo.Content);
Assert.IsNotNull(authPack);
var param = authPack.ClientPublicValue.Algorithm.Parameters.Value;
var b64 = Convert.ToBase64String(param.ToArray());
var domainParams = KrbDiffieHellmanDomainParameters.DecodeSpecial(param);
Assert.IsNotNull(domainParams);
var special = domainParams.EncodeSpecial();
Assert.IsTrue(special.Span.SequenceEqual(param.ToArray()));
var decodedPk = CryptEncode.CryptDecodePublicParameter(authPack.ClientPublicValue.SubjectPublicKey).Slice(16);
}
public void ParsePaPkAsReq_SignedAuthPack()
{
KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq);
SignedCms signedCms = new SignedCms();
signedCms.Decode(asreq.SignedAuthPack.ToArray());
signedCms.CheckSignature(verifySignatureOnly: true);
}
public override async Task <KrbPaData> Validate(KrbKdcReq asReq, PreAuthenticationContext preauth)
{
var paPk = asReq.PaData.FirstOrDefault(p => p.Type == PaDataType.PA_PK_AS_REQ);
if (paPk == null)
{
return(null);
}
var pkreq = KrbPaPkAsReq.Decode(paPk.Value);
var authPack = await ValidateAuthPack(preauth.Principal, pkreq);
ValidateAuthenticator(authPack.PKAuthenticator, asReq.Body);
var requestAlg = authPack.ClientPublicValue?.Algorithm?.Algorithm;
IKeyAgreement agreement;
if (requestAlg?.Value == EllipticCurveDiffieHellman.Value)
{
agreement = FromEllipticCurveDomainParameters(authPack.ClientPublicValue);
}
else if (requestAlg?.Value == DiffieHellman.Value)
{
agreement = await FromDiffieHellmanDomainParametersAsync(authPack.ClientPublicValue);
}
else
{
throw OnlyKeyAgreementSupportedException();
}
var derivedKey = agreement.GenerateAgreement();
var etype = asReq.Body.EType.First();
var transform = CryptoService.CreateTransform(etype);
ReadOnlyMemory <byte> clientDHNonce = authPack.ClientDHNonce.GetValueOrDefault();
ReadOnlyMemory <byte> serverDHNonce = default;
if (clientDHNonce.Length > 0)
{
serverDHNonce = transform.GenerateRandomBytes(agreement.PublicKey.KeyLength);
await Service.Principals.CacheKey(agreement.PrivateKey);
}
var keyInfo = new KrbKdcDHKeyInfo {
SubjectPublicKey = agreement.PublicKey.EncodePublicKey()
};
if (agreement.PublicKey.CacheExpiry.HasValue)
{
keyInfo.DHKeyExpiration = agreement.PublicKey.CacheExpiry;
keyInfo.Nonce = authPack.PKAuthenticator.Nonce;
}
var sessionKey = PKInitString2Key.String2Key(
derivedKey.Span,
transform.KeySize,
clientDHNonce.Span,
serverDHNonce.Span
);
var paPkRep = new KrbPaPkAsRep
{
DHInfo = new KrbDHReplyInfo
{
DHSignedData = await SignDHResponseAsync(keyInfo),
ServerDHNonce = serverDHNonce
}
};
preauth.PaData = new[]
{
new KrbPaData
{
Type = PaDataType.PA_PK_AS_REP,
Value = paPkRep.Encode()
}
};
preauth.EncryptedPartKey = new KerberosKey(key: sessionKey.ToArray(), etype: etype);
return(null);
}
public void ParsePaPkAsReq()
{
KrbPaPkAsReq asreq = KrbPaPkAsReq.Decode(signedPkAsReq);
Assert.IsNotNull(asreq);
}
