public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, ApOptions options, out KrbAuthenticator authenticator ) { var ticket = tgsRep.Ticket; authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = ticket.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType), Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo()) }; KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec); var apReq = new KrbApReq { Ticket = ticket, ApOptions = options, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
public static T GenerateServiceTicket <T>(ServiceTicketRequest request) where T : KrbKdcRep, new() { if (request.EncryptedPartKey == null) { throw new InvalidOperationException("A client key must be provided to encrypt the response"); } request = GenerateServiceTicket <T>( request, out KrbEncTicketPart encTicketPart, out KrbTicket ticket, out KrbEncKdcRepPart encKdcRepPart, out KeyUsage keyUsage, out MessageType messageType ); var rep = new T { CName = encTicketPart.CName, CRealm = request.RealmName, MessageType = messageType, Ticket = ticket, EncPart = KrbEncryptedData.Encrypt( encKdcRepPart.EncodeApplication(), request.EncryptedPartKey, keyUsage ) }; return(rep); }
private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey, KrbChecksum checksum, out KrbEncryptionKey sessionKey) { var tgt = kdcRep.Ticket; var authenticator = new KrbAuthenticator { CName = kdcRep.CName, Realm = kdcRep.CRealm, SequenceNumber = KerberosConstants.GetNonce(), Checksum = checksum }; sessionKey = KrbEncryptionKey.Generate(tgtSessionKey.EType); sessionKey.Usage = KeyUsage.EncTgsRepPartSubSessionKey; authenticator.Subkey = sessionKey; KerberosConstants.Now(out authenticator.CTime, out authenticator.CuSec); var encryptedAuthenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), tgtSessionKey.AsKey(), KeyUsage.PaTgsReqAuthenticator ); var apReq = new KrbApReq { Ticket = tgt, Authenticator = encryptedAuthenticator }; return(apReq); }
public static KrbApReq CreateApReq(KrbKdcRep tgsRep, KerberosKey authenticatorKey, ApOptions options) { var ticket = tgsRep.Ticket; KerberosConstants.Now(out DateTimeOffset time, out int usec); var authenticator = new KrbAuthenticator { CName = tgsRep.CName, CTime = time, Cusec = usec, Realm = ticket.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = null, AuthenticatorVersionNumber = 5 }; var apReq = new KrbApReq { Ticket = ticket, ApOptions = options, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey) { var tgt = kdcRep.Ticket; KerberosConstants.Now(out DateTimeOffset time, out int usec); var authenticator = new KrbAuthenticator { CName = kdcRep.CName, CTime = time, Cusec = usec, Realm = tgt.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = tgtSessionKey, AuthenticatorVersionNumber = 5 }; var encryptedAuthenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), tgtSessionKey.AsKey(), KeyUsage.PaTgsReqAuthenticator ); var apReq = new KrbApReq { Ticket = tgt, Authenticator = encryptedAuthenticator }; return(apReq); }
public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, RequestServiceTicket rst, out KrbAuthenticator authenticator ) { if (tgsRep == null) { throw new ArgumentNullException(nameof(tgsRep)); } if (authenticatorKey == null) { throw new ArgumentNullException(nameof(authenticatorKey)); } var ticket = tgsRep.Ticket; authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = ticket.Realm, SequenceNumber = KerberosConstants.GetNonce(), Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType), Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst)) }; KerberosConstants.Now(out DateTimeOffset ctime, out int usec); authenticator.CTime = ctime; authenticator.CuSec = usec; var apReq = new KrbApReq { Ticket = ticket, ApOptions = rst.ApOptions, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options) { var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication); var hostAddress = Environment.MachineName; var padata = new List <KrbPaData>() { new KrbPaData { Type = PaDataType.PA_PAC_REQUEST, Value = new KrbPaPacRequest { IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest) }.Encode().AsMemory() } }; if (options.HasFlag(AuthenticationOptions.PreAuthenticate)) { KerberosConstants.Now(out DateTimeOffset timestamp, out int usec); var ts = new KrbPaEncTsEnc { PaTimestamp = timestamp, PaUSec = usec }; var tsEncoded = ts.Encode().AsMemory(); KrbEncryptedData encData = KrbEncryptedData.Encrypt( tsEncoded, credential.CreateKey(), KeyUsage.PaEncTs ); padata.Add(new KrbPaData { Type = PaDataType.PA_ENC_TIMESTAMP, Value = encData.Encode().AsMemory() }); } var asreq = new KrbAsReq() { MessageType = MessageType.KRB_AS_REQ, Body = new KrbKdcReqBody { Addresses = new[] { new KrbHostAddress { AddressType = AddressType.NetBios, Address = Encoding.ASCII.GetBytes(hostAddress.PadRight(16, ' ')) } }, CName = new KrbPrincipalName { Name = new[] { $"{credential.UserName}@{credential.Domain}" }, Type = PrincipalNameType.NT_ENTERPRISE }, EType = KerberosConstants.ETypes.ToArray(), KdcOptions = kdcOptions, Nonce = KerberosConstants.GetNonce(), RTime = KerberosConstants.EndOfTime, Realm = credential.Domain, SName = new KrbPrincipalName { Type = PrincipalNameType.NT_SRV_INST, Name = new[] { "krbtgt", credential.Domain } }, Till = KerberosConstants.EndOfTime }, PaData = padata.ToArray() }; return(asreq); }
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request) where T : KrbKdcRep, new() { var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType); var authz = await GenerateAuthorizationData(request.Principal, request.ServicePrincipalKey); var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName); var flags = request.Flags; if (request.Principal.SupportedPreAuthenticationTypes.Any()) { // This is not strictly an accurate way of detecting if the user was pre-authenticated. // If pre-auth handlers are registered and the principal has PA-Types available, a request // will never make it to this point without getting authenticated. // // However if no pre-auth handlers are registered, then the PA check is skipped // and this isn't technically accurate anymore. // // TODO: this should tie into the make-believe policy check being used in the // auth handler section flags |= TicketFlags.EncryptedPreAuthentication | TicketFlags.PreAuthenticated; } var addresses = request.Addresses; if (addresses == null) { addresses = new KrbHostAddress[0]; } var encTicketPart = new KrbEncTicketPart() { CName = cname, Key = sessionKey, AuthTime = request.Now, StartTime = request.StartTime, EndTime = request.EndTime, CRealm = request.RealmName, Flags = flags, AuthorizationData = authz.ToArray(), CAddr = addresses.ToArray(), Transited = new KrbTransitedEncoding() }; if (flags.HasFlag(TicketFlags.Renewable)) { // RenewTill should never increase if it was set previously even if this is a renewal pass encTicketPart.RenewTill = request.RenewTill; } var ticket = new KrbTicket() { Realm = request.RealmName, SName = KrbPrincipalName.FromPrincipal( request.ServicePrincipal, PrincipalNameType.NT_SRV_INST, request.RealmName ), EncryptedPart = KrbEncryptedData.Encrypt( encTicketPart.EncodeApplication(), request.ServicePrincipalKey, KeyUsage.Ticket ) }; KrbEncKdcRepPart encKdcRepPart; if (typeof(T) == typeof(KrbAsRep)) { encKdcRepPart = new KrbEncAsRepPart(); } else if (typeof(T) == typeof(KrbTgsRep)) { encKdcRepPart = new KrbEncTgsRepPart(); } else { throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}"); } encKdcRepPart.AuthTime = encTicketPart.AuthTime; encKdcRepPart.StartTime = encTicketPart.StartTime; encKdcRepPart.EndTime = encTicketPart.EndTime; encKdcRepPart.RenewTill = encTicketPart.RenewTill; encKdcRepPart.KeyExpiration = request.Principal.Expires; encKdcRepPart.Realm = request.RealmName; encKdcRepPart.SName = ticket.SName; encKdcRepPart.Flags = encTicketPart.Flags; encKdcRepPart.CAddr = encTicketPart.CAddr; encKdcRepPart.Key = sessionKey; encKdcRepPart.Nonce = KerberosConstants.GetNonce(); encKdcRepPart.LastReq = new[] { new KrbLastReq { Type = 0, Value = request.Now } }; encKdcRepPart.EncryptedPaData = new KrbMethodData { MethodData = new[] { new KrbPaData { Type = PaDataType.PA_SUPPORTED_ETYPES, Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory() } } }; encKdcRepPart.EncodeApplication(); var rep = new T { CName = cname, CRealm = request.RealmName, MessageType = MessageType.KRB_AS_REP, Ticket = ticket, EncPart = KrbEncryptedData.Encrypt( encKdcRepPart.EncodeApplication(), request.EncryptedPartKey, encKdcRepPart.KeyUsage ) }; return(rep); }
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request) where T : KrbKdcRep, new() { if (request.EncryptedPartKey == null) { throw new ArgumentException("A session key must be provided to encrypt the response", nameof(request.EncryptedPartKey)); } if (request.Principal == null) { throw new ArgumentException("A Principal identity must be provided", nameof(request.Principal)); } if (request.ServicePrincipal == null) { throw new ArgumentException("A service principal must be provided", nameof(request.ServicePrincipal)); } if (request.ServicePrincipalKey == null) { throw new ArgumentException("A service principal key must be provided", nameof(request.ServicePrincipalKey)); } var authz = await GenerateAuthorizationData(request.Principal, request); var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType); var encTicketPart = CreateEncTicketPart(request, authz.ToArray(), sessionKey); var ticket = new KrbTicket() { Realm = request.RealmName, SName = KrbPrincipalName.FromPrincipal( request.ServicePrincipal, PrincipalNameType.NT_SRV_INST, request.RealmName ), EncryptedPart = KrbEncryptedData.Encrypt( encTicketPart.EncodeApplication(), request.ServicePrincipalKey, KeyUsage.Ticket ) }; KrbEncKdcRepPart encKdcRepPart; KeyUsage keyUsage; if (typeof(T) == typeof(KrbAsRep)) { encKdcRepPart = new KrbEncAsRepPart(); keyUsage = KeyUsage.EncAsRepPart; } else if (typeof(T) == typeof(KrbTgsRep)) { encKdcRepPart = new KrbEncTgsRepPart(); keyUsage = request.EncryptedPartKey.Usage ?? KeyUsage.EncTgsRepPartSessionKey; } else { throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}"); } encKdcRepPart.AuthTime = encTicketPart.AuthTime; encKdcRepPart.StartTime = encTicketPart.StartTime; encKdcRepPart.EndTime = encTicketPart.EndTime; encKdcRepPart.RenewTill = encTicketPart.RenewTill; encKdcRepPart.KeyExpiration = request.Principal.Expires; encKdcRepPart.Realm = request.RealmName; encKdcRepPart.SName = ticket.SName; encKdcRepPart.Flags = encTicketPart.Flags; encKdcRepPart.CAddr = encTicketPart.CAddr; encKdcRepPart.Key = sessionKey; encKdcRepPart.Nonce = request.Nonce; encKdcRepPart.LastReq = new[] { new KrbLastReq { Type = 0, Value = request.Now } }; encKdcRepPart.EncryptedPaData = new KrbMethodData { MethodData = new[] { new KrbPaData { Type = PaDataType.PA_SUPPORTED_ETYPES, Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory() } } }; var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName); var rep = new T { CName = cname, CRealm = request.RealmName, MessageType = MessageType.KRB_AS_REP, Ticket = ticket, EncPart = KrbEncryptedData.Encrypt( encKdcRepPart.EncodeApplication(), request.EncryptedPartKey, keyUsage ) }; return(rep); }
private static ServiceTicketRequest GenerateServiceTicket <T>( ServiceTicketRequest request, out KrbEncTicketPart encTicketPart, out KrbTicket ticket, out KrbEncKdcRepPart encKdcRepPart, out KeyUsage keyUsage, out MessageType messageType ) where T : KrbKdcRep, new() { if (request.Principal == null) { throw new InvalidOperationException("A Principal identity must be provided"); } if (request.ServicePrincipal == null) { throw new InvalidOperationException("A service principal must be provided"); } if (request.ServicePrincipalKey == null) { throw new InvalidOperationException("A service principal key must be provided"); } var authz = GenerateAuthorizationData(request); var sessionKey = KrbEncryptionKey.Generate(request.PreferredClientEType ?? request.ServicePrincipalKey.EncryptionType); encTicketPart = CreateEncTicketPart(request, authz.ToArray(), sessionKey); bool appendRealm = false; if (request.ServicePrincipal.PrincipalName.Contains("/")) { appendRealm = true; } ticket = new KrbTicket() { Realm = request.RealmName, SName = KrbPrincipalName.FromPrincipal( request.ServicePrincipal, PrincipalNameType.NT_SRV_INST, appendRealm ? null : request.RealmName ), EncryptedPart = KrbEncryptedData.Encrypt( encTicketPart.EncodeApplication(), request.ServicePrincipalKey, KeyUsage.Ticket ) }; if (typeof(T) == typeof(KrbAsRep)) { encKdcRepPart = new KrbEncAsRepPart(); keyUsage = KeyUsage.EncAsRepPart; messageType = MessageType.KRB_AS_REP; } else if (typeof(T) == typeof(KrbTgsRep)) { encKdcRepPart = new KrbEncTgsRepPart(); keyUsage = request.EncryptedPartKey?.Usage ?? KeyUsage.EncTgsRepPartSessionKey; messageType = MessageType.KRB_TGS_REP; } else { throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}"); } encKdcRepPart.AuthTime = encTicketPart.AuthTime; encKdcRepPart.StartTime = encTicketPart.StartTime; encKdcRepPart.EndTime = encTicketPart.EndTime; encKdcRepPart.RenewTill = encTicketPart.RenewTill; encKdcRepPart.KeyExpiration = request.Principal.Expires; encKdcRepPart.Realm = request.RealmName; encKdcRepPart.SName = ticket.SName; encKdcRepPart.Flags = encTicketPart.Flags; encKdcRepPart.CAddr = encTicketPart.CAddr; encKdcRepPart.Key = sessionKey; encKdcRepPart.Nonce = request.Nonce; encKdcRepPart.LastReq = new[] { new KrbLastReq { Type = 0, Value = request.Now } }; encKdcRepPart.EncryptedPaData = new KrbMethodData { MethodData = new[] { new KrbPaData { Type = PaDataType.PA_SUPPORTED_ETYPES, Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory() } } }; return(request); }
public static KrbApReq CreateApReq( KrbKdcRep tgsRep, KerberosKey authenticatorKey, RequestServiceTicket rst, out KrbAuthenticator authenticator ) { if (tgsRep == null) { throw new ArgumentNullException(nameof(tgsRep)); } if (authenticatorKey == null) { throw new ArgumentNullException(nameof(authenticatorKey)); } authenticator = new KrbAuthenticator { CName = tgsRep.CName, Realm = tgsRep.CRealm }; if (rst.AuthenticatorChecksum != null) { authenticator.Checksum = rst.AuthenticatorChecksum; } else if (!rst.AuthenticatorChecksumSource.IsEmpty) { authenticator.Checksum = KrbChecksum.Create( rst.AuthenticatorChecksumSource, authenticatorKey, KeyUsage.AuthenticatorChecksum ); } else if (rst.GssContextFlags != GssContextEstablishmentFlag.GSS_C_NONE) { authenticator.Checksum = KrbChecksum.EncodeDelegationChecksum(new DelegationInfo(rst)); } if (rst.IncludeSequenceNumber ?? true) { authenticator.SequenceNumber = GetNonce(); } if (rst.ApOptions.HasFlag(ApOptions.MutualRequired)) { authenticator.Subkey = KrbEncryptionKey.Generate(authenticatorKey.EncryptionType); } Now(out DateTimeOffset ctime, out int usec); authenticator.CTime = ctime; authenticator.CuSec = usec; var apReq = new KrbApReq { Ticket = tgsRep.Ticket, ApOptions = rst.ApOptions, Authenticator = KrbEncryptedData.Encrypt( authenticator.EncodeApplication(), authenticatorKey, KeyUsage.ApReqAuthenticator ) }; return(apReq); }
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request) where T : KrbKdcRep, new() { if (request.EncryptedPartKey == null) { throw new ArgumentException("A session key must be provided to encrypt the response", nameof(request.EncryptedPartKey)); } if (request.Principal == null) { throw new ArgumentException("A Principal identity must be provided", nameof(request.Principal)); } if (request.ServicePrincipal == null) { throw new ArgumentException("A service principal must be provided", nameof(request.ServicePrincipal)); } if (request.ServicePrincipalKey == null) { throw new ArgumentException("A service principal key must be provided", nameof(request.ServicePrincipalKey)); } var authz = await GenerateAuthorizationData(request.Principal, request); var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName); var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType); var flags = request.Flags; if (request.PreAuthenticationData?.Any(r => r.Type == PaDataType.PA_REQ_ENC_PA_REP) ?? false) { flags |= TicketFlags.EncryptedPreAuthentication; } var addresses = request.Addresses; if (addresses == null) { addresses = new KrbHostAddress[0]; } var encTicketPart = new KrbEncTicketPart() { CName = cname, Key = sessionKey, AuthTime = request.Now, StartTime = request.StartTime, EndTime = request.EndTime, CRealm = request.RealmName, Flags = flags, AuthorizationData = authz.ToArray(), CAddr = addresses.ToArray(), Transited = new KrbTransitedEncoding() }; if (flags.HasFlag(TicketFlags.Renewable)) { // RenewTill should never increase if it was set previously even if this is a renewal pass encTicketPart.RenewTill = request.RenewTill; } var ticket = new KrbTicket() { Realm = request.RealmName, SName = KrbPrincipalName.FromPrincipal( request.ServicePrincipal, PrincipalNameType.NT_SRV_INST, request.RealmName ), EncryptedPart = KrbEncryptedData.Encrypt( encTicketPart.EncodeApplication(), request.ServicePrincipalKey, KeyUsage.Ticket ) }; KrbEncKdcRepPart encKdcRepPart; if (typeof(T) == typeof(KrbAsRep)) { encKdcRepPart = new KrbEncAsRepPart(); } else if (typeof(T) == typeof(KrbTgsRep)) { encKdcRepPart = new KrbEncTgsRepPart(); } else { throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}"); } encKdcRepPart.AuthTime = encTicketPart.AuthTime; encKdcRepPart.StartTime = encTicketPart.StartTime; encKdcRepPart.EndTime = encTicketPart.EndTime; encKdcRepPart.RenewTill = encTicketPart.RenewTill; encKdcRepPart.KeyExpiration = request.Principal.Expires; encKdcRepPart.Realm = request.RealmName; encKdcRepPart.SName = ticket.SName; encKdcRepPart.Flags = encTicketPart.Flags; encKdcRepPart.CAddr = encTicketPart.CAddr; encKdcRepPart.Key = sessionKey; encKdcRepPart.Nonce = request.Nonce; encKdcRepPart.LastReq = new[] { new KrbLastReq { Type = 0, Value = request.Now } }; encKdcRepPart.EncryptedPaData = new KrbMethodData { MethodData = new[] { new KrbPaData { Type = PaDataType.PA_SUPPORTED_ETYPES, Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory() } } }; var rep = new T { CName = cname, CRealm = request.RealmName, MessageType = MessageType.KRB_AS_REP, Ticket = ticket, EncPart = KrbEncryptedData.Encrypt( encKdcRepPart.EncodeApplication(), request.EncryptedPartKey, encKdcRepPart.KeyUsage ) }; return(rep); }