private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage) { var dataLength = 0; dataLength += 4; foreach (var name in userName.Name) { dataLength += name.Length; } dataLength += userRealm.Length; dataLength += authPackage.Length; var checksumData = new Memory <byte>(new byte[dataLength]); Endian.ConvertToLittleEndian((int)userName.Type, checksumData); var position = 4; for (var i = 0; i < userName.Name.Length; i++) { Concat(checksumData, ref position, ref userName.Name[i]); } Concat(checksumData, ref position, ref userRealm); Concat(checksumData, ref position, ref authPackage); return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType)); }
public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, ApOptions options, out KrbAuthenticator authenticator ) { var ticket = tgsRep.Ticket; authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = ticket.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType), Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo()) }; KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec); var apReq = new KrbApReq { Ticket = ticket, ApOptions = options, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded) where T : KrbPaForUser, new() { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } decoded = new T(); AsnReader sequenceReader = reader.ReadSequence(expectedTag); AsnReader explicitReader; explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0)); KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.UserName); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1)); decoded.UserRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2)); KrbChecksum.Decode <KrbChecksum>(explicitReader, out decoded.Checksum); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3)); decoded.AuthPackage = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString); explicitReader.ThrowIfNotEmpty(); sequenceReader.ThrowIfNotEmpty(); }
public void GenerateChecksum(KerberosKey key) { var dataLength = 0; dataLength += 4; foreach (var name in UserName.Name) { dataLength += name.Length; } dataLength += UserRealm.Length; dataLength += AuthPackage.Length; var checksumData = new Memory <byte>(new byte[dataLength]); Endian.ConvertToLittleEndian((int)UserName.Type, checksumData); var position = 4; for (var i = 0; i < UserName.Name.Length; i++) { Concat(checksumData, ref position, ref UserName.Name[i]); } Concat(checksumData, ref position, ref UserRealm); Concat(checksumData, ref position, ref AuthPackage); Checksum = KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType); }
private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage) { var dataLength = 0; dataLength += 4; foreach (var name in userName.Name) { dataLength += name.Length; } dataLength += userRealm.Length; dataLength += authPackage.Length; var checksumData = new Memory <byte>(new byte[dataLength]); BinaryPrimitives.WriteInt32LittleEndian(checksumData.Span, (int)userName.Type); var position = 4; for (var i = 0; i < userName.Name.Length; i++) { Concat(checksumData, userName.Name[i], ref position); } Concat(checksumData, userRealm, ref position); Concat(checksumData, authPackage, ref position); return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType)); }
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded) where T : KrbPaS4uX509User, new() { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } decoded = new T(); AsnReader sequenceReader = reader.ReadSequence(expectedTag); AsnReader explicitReader; explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0)); KrbS4uUserId.Decode <KrbS4uUserId>(explicitReader, out KrbS4uUserId tmpUserId); decoded.UserId = tmpUserId; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1)); KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum); decoded.Checksum = tmpChecksum; explicitReader.ThrowIfNotEmpty(); sequenceReader.ThrowIfNotEmpty(); }
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded) where T : KrbFastFinished, new() { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } decoded = new T(); AsnReader sequenceReader = reader.ReadSequence(expectedTag); AsnReader explicitReader; explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0)); decoded.Timestamp = explicitReader.ReadGeneralizedTime(); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1)); if (!explicitReader.TryReadInt32(out int tmpUSec)) { explicitReader.ThrowIfNotEmpty(); } decoded.USec = tmpUSec; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2)); decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3)); KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName); decoded.CName = tmpCName; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4)); KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpTicketChecksum); decoded.TicketChecksum = tmpTicketChecksum; explicitReader.ThrowIfNotEmpty(); sequenceReader.ThrowIfNotEmpty(); }
public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, RequestServiceTicket rst, out KrbAuthenticator authenticator ) { if (tgsRep == null) { throw new ArgumentNullException(nameof(tgsRep)); } if (authenticatorKey == null) { throw new ArgumentNullException(nameof(authenticatorKey)); } var ticket = tgsRep.Ticket; authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = ticket.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType), Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst)) }; KerberosConstants.Now(out DateTimeOffset ctime, out int usec); authenticator.CTime = ctime; authenticator.CuSec = usec; var apReq = new KrbApReq { Ticket = ticket, ApOptions = rst.ApOptions, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded) where T : KrbFastArmoredReq, new() { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } decoded = new T(); AsnReader sequenceReader = reader.ReadSequence(expectedTag); AsnReader explicitReader; if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 0))) { explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0)); KrbFastArmor.Decode <KrbFastArmor>(explicitReader, out KrbFastArmor tmpArmor); decoded.Armor = tmpArmor; explicitReader.ThrowIfNotEmpty(); } explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1)); KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpRequestChecksum); decoded.RequestChecksum = tmpRequestChecksum; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2)); KrbEncryptedData.Decode <KrbEncryptedData>(explicitReader, out KrbEncryptedData tmpEncryptedFastRequest); decoded.EncryptedFastRequest = tmpEncryptedFastRequest; explicitReader.ThrowIfNotEmpty(); sequenceReader.ThrowIfNotEmpty(); }
private static ReadOnlyMemory <byte> EncodeS4URequest(string s4u, X509Certificate2 certificate, int nonce, string realm, KrbEncryptionKey sessionKey) { var userId = new KrbS4uUserId() { CName = new KrbPrincipalName { Type = PrincipalNameType.NT_ENTERPRISE, Name = new[] { s4u } }, Nonce = nonce, Realm = realm }; if (certificate != null) { userId.SubjectCertificate = certificate.RawData; } var paX509 = new KrbPaS4uX509User { UserId = userId, Checksum = KrbChecksum.Create(userId.Encode(), sessionKey.AsKey(), (KeyUsage)26) }; return(paX509.Encode()); }
public static KrbTgsReq CreateTgsReq( RequestServiceTicket rst, KrbEncryptionKey tgtSessionKey, KrbKdcRep kdcRep, out KrbEncryptionKey sessionKey ) { var sname = rst.ServicePrincipalName.Split('/', '@'); var tgt = kdcRep.Ticket; var additionalTickets = new List <KrbTicket>(); if (rst.KdcOptions.HasFlag(KdcOptions.EncTktInSkey) && rst.UserToUserTicket != null) { additionalTickets.Add(rst.UserToUserTicket); } if (!string.IsNullOrWhiteSpace(rst.S4uTarget)) { rst.KdcOptions |= KdcOptions.Forwardable; } if (rst.S4uTicket != null) { rst.KdcOptions |= KdcOptions.ConstrainedDelegation; additionalTickets.Add(rst.S4uTicket); } var body = new KrbKdcReqBody { EType = KerberosConstants.ETypes.ToArray(), KdcOptions = rst.KdcOptions, Nonce = KerberosConstants.GetNonce(), Realm = rst.Realm, SName = new KrbPrincipalName() { Type = PrincipalNameType.NT_SRV_INST, Name = sname }, Till = KerberosConstants.EndOfTime, CName = rst.CNameHint }; if (additionalTickets.Count > 0) { body.AdditionalTickets = additionalTickets.ToArray(); } var bodyChecksum = KrbChecksum.Create( body.Encode(), tgtSessionKey.AsKey(), KeyUsage.PaTgsReqChecksum ); var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey); var pacOptions = new KrbPaPacOptions { Flags = PacOptions.ResourceBasedConstrainedDelegation | PacOptions.Claims | PacOptions.BranchAware }.Encode(); var paData = new List <KrbPaData>() { new KrbPaData { Type = PaDataType.PA_TGS_REQ, Value = tgtApReq.EncodeApplication() }, new KrbPaData { Type = PaDataType.PA_PAC_OPTIONS, Value = pacOptions } }; if (!string.IsNullOrWhiteSpace(rst.S4uTarget)) { paData.Add(new KrbPaData { Type = PaDataType.PA_FOR_USER, Value = EncodeS4URequest(rst.S4uTarget, tgt.Realm, tgtSessionKey) }); } var tgs = new KrbTgsReq { PaData = paData.ToArray(), Body = body }; return(tgs); }
private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey, KrbChecksum checksum, out KrbEncryptionKey sessionKey) { var tgt = kdcRep.Ticket; var authenticator = new KrbAuthenticator { CName = kdcRep.CName, Realm = kdcRep.CRealm, SequenceNumber = KerberosConstants.GetNonce(), Checksum = checksum }; sessionKey = KrbEncryptionKey.Generate(tgtSessionKey.EType); sessionKey.Usage = KeyUsage.EncTgsRepPartSubSessionKey; authenticator.Subkey = sessionKey; KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec); var encryptedAuthenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), tgtSessionKey.AsKey(), KeyUsage.PaTgsReqAuthenticator ); var apReq = new KrbApReq { Ticket = tgt, Authenticator = encryptedAuthenticator }; return(apReq); }
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded) where T : KrbAuthenticator, new() { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } decoded = new T(); AsnReader sequenceReader = reader.ReadSequence(expectedTag); AsnReader explicitReader; AsnReader collectionReader; explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0)); if (!explicitReader.TryReadInt32(out int tmpAuthenticatorVersionNumber)) { explicitReader.ThrowIfNotEmpty(); } decoded.AuthenticatorVersionNumber = tmpAuthenticatorVersionNumber; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1)); decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString); explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2)); KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName); decoded.CName = tmpCName; explicitReader.ThrowIfNotEmpty(); if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3))) { explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3)); KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum); decoded.Checksum = tmpChecksum; explicitReader.ThrowIfNotEmpty(); } explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4)); if (!explicitReader.TryReadInt32(out int tmpCuSec)) { explicitReader.ThrowIfNotEmpty(); } decoded.CuSec = tmpCuSec; explicitReader.ThrowIfNotEmpty(); explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5)); decoded.CTime = explicitReader.ReadGeneralizedTime(); explicitReader.ThrowIfNotEmpty(); if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6))) { explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6)); KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out KrbEncryptionKey tmpSubkey); decoded.Subkey = tmpSubkey; explicitReader.ThrowIfNotEmpty(); } if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 7))) { explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7)); if (explicitReader.TryReadInt32(out int tmpSequenceNumber)) { decoded.SequenceNumber = tmpSequenceNumber; } else { explicitReader.ThrowIfNotEmpty(); } explicitReader.ThrowIfNotEmpty(); } if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8))) { explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8)); // Decode SEQUENCE OF for AuthorizationData { collectionReader = explicitReader.ReadSequence(); var tmpList = new List <KrbAuthorizationData>(); KrbAuthorizationData tmpItem; while (collectionReader.HasData) { KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out KrbAuthorizationData tmp); tmpItem = tmp; tmpList.Add(tmpItem); } decoded.AuthorizationData = tmpList.ToArray(); } explicitReader.ThrowIfNotEmpty(); } sequenceReader.ThrowIfNotEmpty(); }
public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, RequestServiceTicket rst, out KrbAuthenticator authenticator ) { if (tgsRep == null) { throw new ArgumentNullException(nameof(tgsRep)); } if (authenticatorKey == null) { throw new ArgumentNullException(nameof(authenticatorKey)); } authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = tgsRep.CRealm }; if (rst.AuthenticatorChecksum != null) { authenticator.Checksum = rst.AuthenticatorChecksum; } else if (!rst.AuthenticatorChecksumSource.IsEmpty) { authenticator.Checksum = KrbChecksum.Create( rst.AuthenticatorChecksumSource, authenticatorKey, KeyUsage.AuthenticatorChecksum ); } else if (rst.GssContextFlags != GssContextEstablishmentFlag.GSS_C_NONE) { authenticator.Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst)); } if (rst.IncludeSequenceNumber ?? true) { authenticator.SequenceNumber = GetNonce(); } if (rst.ApOptions.HasFlag(ApOptions.MutualRequired)) { authenticator.Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType); } Now(out DateTimeOffset ctime, out int usec); authenticator.CTime = ctime; authenticator.CuSec = usec; var apReq = new KrbApReq { Ticket = tgsRep.Ticket, ApOptions = rst.ApOptions, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
public static KrbTgsReq CreateTgsReq( RequestServiceTicket rst, KrbEncryptionKey tgtSessionKey, KrbKdcRep kdcRep, out KrbEncryptionKey sessionKey ) { if (kdcRep == null) { throw new ArgumentNullException(nameof(kdcRep)); } if (tgtSessionKey == null) { throw new ArgumentNullException(nameof(tgtSessionKey)); } if (string.IsNullOrWhiteSpace(rst.ServicePrincipalName)) { throw new ArgumentNullException(nameof(rst.ServicePrincipalName)); } var sname = rst.ServicePrincipalName.Split('/', '@'); var tgt = kdcRep.Ticket; var additionalTickets = new List <KrbTicket>(); if (rst.KdcOptions.HasFlag(KdcOptions.EncTktInSkey) && rst.UserToUserTicket != null) { additionalTickets.Add(rst.UserToUserTicket); } if (!string.IsNullOrWhiteSpace(rst.S4uTarget) && rst.S4uTicket != null) { throw new InvalidOperationException(SR.Resource("S4uTargetTicketBothPresent")); } if (!string.IsNullOrWhiteSpace(rst.S4uTarget)) { rst.KdcOptions |= KdcOptions.Forwardable; } if (rst.S4uTicket != null) { rst.KdcOptions |= KdcOptions.ConstrainedDelegation; additionalTickets.Add(rst.S4uTicket); } var config = rst.Configuration ?? Krb5Config.Default(); var body = new KrbKdcReqBody { EType = GetPreferredETypes(config.Defaults.DefaultTgsEncTypes, config.Defaults.AllowWeakCrypto).ToArray(), KdcOptions = rst.KdcOptions, Nonce = GetNonce(), Realm = rst.Realm, SName = new KrbPrincipalName() { Type = PrincipalNameType.NT_SRV_INST, Name = sname }, Till = EndOfTime, CName = rst.CNameHint }; if (additionalTickets.Count > 0) { body.AdditionalTickets = additionalTickets.ToArray(); } var bodyChecksum = KrbChecksum.Create( body.Encode(), tgtSessionKey.AsKey(), KeyUsage.PaTgsReqChecksum ); var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey); var pacOptions = new KrbPaPacOptions { Flags = PacOptions.ResourceBasedConstrainedDelegation | PacOptions.Claims | PacOptions.BranchAware }.Encode(); var paData = new List <KrbPaData>() { new KrbPaData { Type = PaDataType.PA_TGS_REQ, Value = tgtApReq.EncodeApplication() }, new KrbPaData { Type = PaDataType.PA_PAC_OPTIONS, Value = pacOptions } }; if (!string.IsNullOrWhiteSpace(rst.S4uTarget)) { if (tgtSessionKey.EType == EncryptionType.RC4_HMAC_NT) { paData.Add(new KrbPaData { Type = PaDataType.PA_FOR_USER, Value = EncodeS4ULegacyRequest(rst.S4uTarget, tgt.Realm, tgtSessionKey) }); } else { paData.Add(new KrbPaData { Type = PaDataType.PA_FOR_X509_USER, Value = EncodeS4URequest(rst.S4uTarget, rst.S4uTargetCertificate, body.Nonce, tgt.Realm, sessionKey) }); } } var tgs = new KrbTgsReq { PaData = paData.ToArray(), Body = body }; return(tgs); }