private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage)
{
var dataLength = 0;
dataLength += 4;
foreach (var name in userName.Name)
{
dataLength += name.Length;
}
dataLength += userRealm.Length;
dataLength += authPackage.Length;
var checksumData = new Memory <byte>(new byte[dataLength]);
BinaryPrimitives.WriteInt32LittleEndian(checksumData.Span, (int)userName.Type);
var position = 4;
for (var i = 0; i < userName.Name.Length; i++)
{
Concat(checksumData, userName.Name[i], ref position);
}
Concat(checksumData, userRealm, ref position);
Concat(checksumData, authPackage, ref position);
return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType));
}
private static KrbChecksum GenerateChecksum(KerberosKey key, KrbPrincipalName userName, string userRealm, string authPackage)
{
var dataLength = 0;
dataLength += 4;
foreach (var name in userName.Name)
{
dataLength += name.Length;
}
dataLength += userRealm.Length;
dataLength += authPackage.Length;
var checksumData = new Memory <byte>(new byte[dataLength]);
Endian.ConvertToLittleEndian((int)userName.Type, checksumData);
var position = 4;
for (var i = 0; i < userName.Name.Length; i++)
{
Concat(checksumData, ref position, ref userName.Name[i]);
}
Concat(checksumData, ref position, ref userRealm);
Concat(checksumData, ref position, ref authPackage);
return(KrbChecksum.Create(checksumData, key, KeyUsage.PaForUserChecksum, PaForUserChecksumType));
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbPaSvrReferralData, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 1)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbPrincipalName tmpReferredName;
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out tmpReferredName);
decoded.ReferredName = tmpReferredName;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
decoded.ReferredRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbPaForUser, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.UserName);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.UserRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out decoded.Checksum);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
decoded.AuthPackage = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
public static KrbAsReq CreateAsReq(KerberosCredential credential, AuthenticationOptions options)
{
var kdcOptions = (KdcOptions)(options & ~AuthenticationOptions.AllAuthentication);
var hostAddress = Environment.MachineName;
var pacRequest = new KrbPaPacRequest
{
IncludePac = options.HasFlag(AuthenticationOptions.IncludePacRequest)
};
var padata = new List <KrbPaData>()
{
new KrbPaData
{
Type = PaDataType.PA_PAC_REQUEST,
Value = pacRequest.Encode()
}
};
var asreq = new KrbAsReq()
{
MessageType = MessageType.KRB_AS_REQ,
Body = new KrbKdcReqBody
{
Addresses = new[] {
new KrbHostAddress {
AddressType = AddressType.NetBios,
Address = Encoding.ASCII.GetBytes(hostAddress.PadRight(16, ' '))
}
},
CName = KrbPrincipalName.FromString(
credential.UserName,
PrincipalNameType.NT_ENTERPRISE,
credential.Domain
),
EType = KerberosConstants.ETypes.ToArray(),
KdcOptions = kdcOptions,
Nonce = KerberosConstants.GetNonce(),
RTime = KerberosConstants.EndOfTime,
Realm = credential.Domain,
SName = new KrbPrincipalName
{
Type = PrincipalNameType.NT_SRV_INST,
Name = new[] { "krbtgt", credential.Domain }
},
Till = KerberosConstants.EndOfTime
},
PaData = padata.ToArray()
};
if (options.HasFlag(AuthenticationOptions.PreAuthenticate))
{
credential.TransformKdcReq(asreq);
}
return(asreq);
}
public static KrbAsRep GenerateTgt(
ServiceTicketRequest rst,
IRealmService realmService
)
{
if (realmService == null)
{
throw new ArgumentNullException(nameof(realmService));
}
rst.Compatibility = realmService.Settings.Compatibility;
// This is approximately correct such that a client doesn't barf on it
// The krbtgt Ticket structure is probably correct as far as AD thinks
// Modulo the PAC, at least.
if (string.IsNullOrWhiteSpace(rst.RealmName))
{
// TODO: Possible bug. Realm service now has multiple krbtgt's so the name is always set
// to the name of our (cloud) KDC name. Will this be an issue for trust ticket or mcticket?
rst.RealmName = realmService.Name;
}
KrbPrincipalName krbtgtName = KrbPrincipalName.WellKnown.Krbtgt(rst.RealmName);
if (rst.ServicePrincipal == null)
{
rst.ServicePrincipal = realmService.Principals.Find(krbtgtName, rst.RealmName);
}
if (rst.ServicePrincipalKey == null)
{
rst.ServicePrincipalKey = rst.ServicePrincipal.RetrieveLongTermCredential();
}
if (rst.KdcAuthorizationKey == null)
{
// Not using rst.ServicePrincipal because it may not actually be krbtgt
var krbtgt = realmService.Principals.Find(krbtgtName, rst.RealmName);
rst.KdcAuthorizationKey = krbtgt.RetrieveLongTermCredential();
}
rst.Now = realmService.Now();
rst.MaximumTicketLifetime = realmService.Settings.SessionLifetime;
rst.MaximumRenewalWindow = realmService.Settings.MaximumRenewalWindow;
if (rst.Flags == 0)
{
rst.Flags = DefaultFlags;
}
return(GenerateServiceTicket <KrbAsRep>(rst));
}
private static KrbPrincipalName CreateCNameForTicket(ServiceTicketRequest request)
{
if (string.IsNullOrEmpty(request.SamAccountName))
{
return(KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName));
}
return(new KrbPrincipalName
{
Type = PrincipalNameType.NT_PRINCIPAL,
Name = new[] { request.SamAccountName }
});
}
private static KrbPrincipalName ExtractCName(KerberosCredential credential)
{
var principalName = KrbPrincipalName.FromString(credential.UserName);
if (principalName.IsServiceName)
{
return(principalName);
}
return(KrbPrincipalName.FromString(
credential.UserName,
PrincipalNameType.NT_ENTERPRISE,
credential.Domain
));
}
public static PrincipalName FromKrbPrincipalName(KrbPrincipalName name, string realm = null)
{
if (name.Name.Length > 2)
{
var possibleRealm = name.Name[2];
if (string.IsNullOrWhiteSpace(realm))
{
realm = possibleRealm;
name.Name = new[] { name.Name[0], name.Name[1] };
}
}
return(new PrincipalName(name.Type, realm, name.Name));
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbFastFinished, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
decoded.Timestamp = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
if (!explicitReader.TryReadInt32(out int tmpUSec))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.USec = tmpUSec;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpTicketChecksum);
decoded.TicketChecksum = tmpTicketChecksum;
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbTicket, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out int tmpTicketNumber))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.TicketNumber = tmpTicketNumber;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpSName);
decoded.SName = tmpSName;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbEncryptedData.Decode <KrbEncryptedData>(explicitReader, out KrbEncryptedData tmpEncryptedPart);
decoded.EncryptedPart = tmpEncryptedPart;
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbError, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out decoded.ProtocolVersionNumber))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
if (!explicitReader.TryReadInt32(out decoded.MessageType))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 2)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.CTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
if (explicitReader.TryReadInt32(out int tmpCusec))
{
decoded.Cusec = tmpCusec;
}
else
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
decoded.STime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
if (!explicitReader.TryReadInt32(out decoded.Susc))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
if (!explicitReader.TryReadInt32(out decoded.ErrorCode))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 7)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
KrbPrincipalName tmpCName;
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 9));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 10));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.SName);
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 11)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 11));
decoded.EText = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 12)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 12));
if (explicitReader.TryReadPrimitiveOctetStringBytes(out ReadOnlyMemory <byte> tmpEData))
{
decoded.EData = tmpEData;
}
else
{
decoded.EData = explicitReader.ReadOctetString();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbKdcRep, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out decoded.ProtocolVersionNumber))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
if (!explicitReader.TryReadInt32(out decoded.MessageType))
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 2)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
// Decode SEQUENCE OF for PaData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbPaData>();
KrbPaData tmpItem;
while (collectionReader.HasData)
{
KrbPaData.Decode <KrbPaData>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.PaData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.CName);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
KrbTicket.Decode <KrbTicket>(explicitReader, out decoded.Ticket);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
KrbEncryptedData.Decode <KrbEncryptedData>(explicitReader, out decoded.EncPart);
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbAuthenticator, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out int tmpAuthenticatorVersionNumber))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.AuthenticatorVersionNumber = tmpAuthenticatorVersionNumber;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbChecksum.Decode <KrbChecksum>(explicitReader, out KrbChecksum tmpChecksum);
decoded.Checksum = tmpChecksum;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
if (!explicitReader.TryReadInt32(out int tmpCuSec))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.CuSec = tmpCuSec;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.CTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out KrbEncryptionKey tmpSubkey);
decoded.Subkey = tmpSubkey;
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 7)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
if (explicitReader.TryReadInt32(out int tmpSequenceNumber))
{
decoded.SequenceNumber = tmpSequenceNumber;
}
else
{
explicitReader.ThrowIfNotEmpty();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out KrbAuthorizationData tmp);
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request)
where T : KrbKdcRep, new()
{
if (request.EncryptedPartKey == null)
{
throw new ArgumentException("A session key must be provided to encrypt the response", nameof(request.EncryptedPartKey));
}
if (request.Principal == null)
{
throw new ArgumentException("A Principal identity must be provided", nameof(request.Principal));
}
if (request.ServicePrincipal == null)
{
throw new ArgumentException("A service principal must be provided", nameof(request.ServicePrincipal));
}
if (request.ServicePrincipalKey == null)
{
throw new ArgumentException("A service principal key must be provided", nameof(request.ServicePrincipalKey));
}
var authz = await GenerateAuthorizationData(request.Principal, request);
var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType);
var encTicketPart = CreateEncTicketPart(request, authz.ToArray(), sessionKey);
var ticket = new KrbTicket()
{
Realm = request.RealmName,
SName = KrbPrincipalName.FromPrincipal(
request.ServicePrincipal,
PrincipalNameType.NT_SRV_INST,
request.RealmName
),
EncryptedPart = KrbEncryptedData.Encrypt(
encTicketPart.EncodeApplication(),
request.ServicePrincipalKey,
KeyUsage.Ticket
)
};
KrbEncKdcRepPart encKdcRepPart;
KeyUsage keyUsage;
if (typeof(T) == typeof(KrbAsRep))
{
encKdcRepPart = new KrbEncAsRepPart();
keyUsage = KeyUsage.EncAsRepPart;
}
else if (typeof(T) == typeof(KrbTgsRep))
{
encKdcRepPart = new KrbEncTgsRepPart();
keyUsage = request.EncryptedPartKey.Usage ?? KeyUsage.EncTgsRepPartSessionKey;
}
else
{
throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}");
}
encKdcRepPart.AuthTime = encTicketPart.AuthTime;
encKdcRepPart.StartTime = encTicketPart.StartTime;
encKdcRepPart.EndTime = encTicketPart.EndTime;
encKdcRepPart.RenewTill = encTicketPart.RenewTill;
encKdcRepPart.KeyExpiration = request.Principal.Expires;
encKdcRepPart.Realm = request.RealmName;
encKdcRepPart.SName = ticket.SName;
encKdcRepPart.Flags = encTicketPart.Flags;
encKdcRepPart.CAddr = encTicketPart.CAddr;
encKdcRepPart.Key = sessionKey;
encKdcRepPart.Nonce = request.Nonce;
encKdcRepPart.LastReq = new[] { new KrbLastReq {
Type = 0, Value = request.Now
} };
encKdcRepPart.EncryptedPaData = new KrbMethodData
{
MethodData = new[]
{
new KrbPaData
{
Type = PaDataType.PA_SUPPORTED_ETYPES,
Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory()
}
}
};
var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName);
var rep = new T
{
CName = cname,
CRealm = request.RealmName,
MessageType = MessageType.KRB_AS_REP,
Ticket = ticket,
EncPart = KrbEncryptedData.Encrypt(
encKdcRepPart.EncodeApplication(),
request.EncryptedPartKey,
keyUsage
)
};
return(rep);
}
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request)
where T : KrbKdcRep, new()
{
if (request.EncryptedPartKey == null)
{
throw new ArgumentException("A session key must be provided to encrypt the response", nameof(request.EncryptedPartKey));
}
if (request.Principal == null)
{
throw new ArgumentException("A Principal identity must be provided", nameof(request.Principal));
}
if (request.ServicePrincipal == null)
{
throw new ArgumentException("A service principal must be provided", nameof(request.ServicePrincipal));
}
if (request.ServicePrincipalKey == null)
{
throw new ArgumentException("A service principal key must be provided", nameof(request.ServicePrincipalKey));
}
var authz = await GenerateAuthorizationData(request.Principal, request);
var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName);
var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType);
var flags = request.Flags;
if (request.PreAuthenticationData?.Any(r => r.Type == PaDataType.PA_REQ_ENC_PA_REP) ?? false)
{
flags |= TicketFlags.EncryptedPreAuthentication;
}
var addresses = request.Addresses;
if (addresses == null)
{
addresses = new KrbHostAddress[0];
}
var encTicketPart = new KrbEncTicketPart()
{
CName = cname,
Key = sessionKey,
AuthTime = request.Now,
StartTime = request.StartTime,
EndTime = request.EndTime,
CRealm = request.RealmName,
Flags = flags,
AuthorizationData = authz.ToArray(),
CAddr = addresses.ToArray(),
Transited = new KrbTransitedEncoding()
};
if (flags.HasFlag(TicketFlags.Renewable))
{
// RenewTill should never increase if it was set previously even if this is a renewal pass
encTicketPart.RenewTill = request.RenewTill;
}
var ticket = new KrbTicket()
{
Realm = request.RealmName,
SName = KrbPrincipalName.FromPrincipal(
request.ServicePrincipal,
PrincipalNameType.NT_SRV_INST,
request.RealmName
),
EncryptedPart = KrbEncryptedData.Encrypt(
encTicketPart.EncodeApplication(),
request.ServicePrincipalKey,
KeyUsage.Ticket
)
};
KrbEncKdcRepPart encKdcRepPart;
if (typeof(T) == typeof(KrbAsRep))
{
encKdcRepPart = new KrbEncAsRepPart();
}
else if (typeof(T) == typeof(KrbTgsRep))
{
encKdcRepPart = new KrbEncTgsRepPart();
}
else
{
throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}");
}
encKdcRepPart.AuthTime = encTicketPart.AuthTime;
encKdcRepPart.StartTime = encTicketPart.StartTime;
encKdcRepPart.EndTime = encTicketPart.EndTime;
encKdcRepPart.RenewTill = encTicketPart.RenewTill;
encKdcRepPart.KeyExpiration = request.Principal.Expires;
encKdcRepPart.Realm = request.RealmName;
encKdcRepPart.SName = ticket.SName;
encKdcRepPart.Flags = encTicketPart.Flags;
encKdcRepPart.CAddr = encTicketPart.CAddr;
encKdcRepPart.Key = sessionKey;
encKdcRepPart.Nonce = request.Nonce;
encKdcRepPart.LastReq = new[] { new KrbLastReq {
Type = 0, Value = request.Now
} };
encKdcRepPart.EncryptedPaData = new KrbMethodData
{
MethodData = new[]
{
new KrbPaData
{
Type = PaDataType.PA_SUPPORTED_ETYPES,
Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory()
}
}
};
var rep = new T
{
CName = cname,
CRealm = request.RealmName,
MessageType = MessageType.KRB_AS_REP,
Ticket = ticket,
EncPart = KrbEncryptedData.Encrypt(
encKdcRepPart.EncodeApplication(),
request.EncryptedPartKey,
encKdcRepPart.KeyUsage
)
};
return(rep);
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbKdcReqBody, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (explicitReader.TryReadPrimitiveBitStringValue(out _, out ReadOnlyMemory <byte> tmpKdcOptions))
{
decoded.KdcOptions = (KdcOptions)tmpKdcOptions.AsLong();
}
else
{
decoded.KdcOptions = (KdcOptions)explicitReader.ReadBitString(out _).AsLong();
}
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 1)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpSName);
decoded.SName = tmpSName;
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 4)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
decoded.From = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.Till = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
decoded.RTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
if (!explicitReader.TryReadInt32(out int tmpNonce))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.Nonce = tmpNonce;
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
// Decode SEQUENCE OF for EType
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <EncryptionType>();
EncryptionType tmpItem;
while (collectionReader.HasData)
{
if (!collectionReader.TryReadInt32(out EncryptionType tmp))
{
collectionReader.ThrowIfNotEmpty();
}
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.EType = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 9)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 9));
// Decode SEQUENCE OF for Addresses
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbHostAddress>();
KrbHostAddress tmpItem;
while (collectionReader.HasData)
{
KrbHostAddress.Decode <KrbHostAddress>(collectionReader, out KrbHostAddress tmp);
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.Addresses = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 10)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 10));
KrbEncryptedData.Decode <KrbEncryptedData>(explicitReader, out KrbEncryptedData tmpEncAuthorizationData);
decoded.EncAuthorizationData = tmpEncAuthorizationData;
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 11)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 11));
// Decode SEQUENCE OF for AdditionalTickets
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbTicket>();
KrbTicket tmpItem;
while (collectionReader.HasData)
{
KrbTicket.Decode <KrbTicket>(collectionReader, out KrbTicket tmp);
tmpItem = tmp;
tmpList.Add(tmpItem);
}
decoded.AdditionalTickets = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
public static async Task <T> GenerateServiceTicket <T>(ServiceTicketRequest request)
where T : KrbKdcRep, new()
{
var sessionKey = KrbEncryptionKey.Generate(request.ServicePrincipalKey.EncryptionType);
var authz = await GenerateAuthorizationData(request.Principal, request.ServicePrincipalKey);
var cname = KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName);
var flags = request.Flags;
if (request.Principal.SupportedPreAuthenticationTypes.Any())
{
// This is not strictly an accurate way of detecting if the user was pre-authenticated.
// If pre-auth handlers are registered and the principal has PA-Types available, a request
// will never make it to this point without getting authenticated.
//
// However if no pre-auth handlers are registered, then the PA check is skipped
// and this isn't technically accurate anymore.
//
// TODO: this should tie into the make-believe policy check being used in the
// auth handler section
flags |= TicketFlags.EncryptedPreAuthentication | TicketFlags.PreAuthenticated;
}
var addresses = request.Addresses;
if (addresses == null)
{
addresses = new KrbHostAddress[0];
}
var encTicketPart = new KrbEncTicketPart()
{
CName = cname,
Key = sessionKey,
AuthTime = request.Now,
StartTime = request.StartTime,
EndTime = request.EndTime,
CRealm = request.RealmName,
Flags = flags,
AuthorizationData = authz.ToArray(),
CAddr = addresses.ToArray(),
Transited = new KrbTransitedEncoding()
};
if (flags.HasFlag(TicketFlags.Renewable))
{
// RenewTill should never increase if it was set previously even if this is a renewal pass
encTicketPart.RenewTill = request.RenewTill;
}
var ticket = new KrbTicket()
{
Realm = request.RealmName,
SName = KrbPrincipalName.FromPrincipal(
request.ServicePrincipal,
PrincipalNameType.NT_SRV_INST,
request.RealmName
),
EncryptedPart = KrbEncryptedData.Encrypt(
encTicketPart.EncodeApplication(),
request.ServicePrincipalKey,
KeyUsage.Ticket
)
};
KrbEncKdcRepPart encKdcRepPart;
if (typeof(T) == typeof(KrbAsRep))
{
encKdcRepPart = new KrbEncAsRepPart();
}
else if (typeof(T) == typeof(KrbTgsRep))
{
encKdcRepPart = new KrbEncTgsRepPart();
}
else
{
throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}");
}
encKdcRepPart.AuthTime = encTicketPart.AuthTime;
encKdcRepPart.StartTime = encTicketPart.StartTime;
encKdcRepPart.EndTime = encTicketPart.EndTime;
encKdcRepPart.RenewTill = encTicketPart.RenewTill;
encKdcRepPart.KeyExpiration = request.Principal.Expires;
encKdcRepPart.Realm = request.RealmName;
encKdcRepPart.SName = ticket.SName;
encKdcRepPart.Flags = encTicketPart.Flags;
encKdcRepPart.CAddr = encTicketPart.CAddr;
encKdcRepPart.Key = sessionKey;
encKdcRepPart.Nonce = KerberosConstants.GetNonce();
encKdcRepPart.LastReq = new[] { new KrbLastReq {
Type = 0, Value = request.Now
} };
encKdcRepPart.EncryptedPaData = new KrbMethodData
{
MethodData = new[]
{
new KrbPaData
{
Type = PaDataType.PA_SUPPORTED_ETYPES,
Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory()
}
}
};
encKdcRepPart.EncodeApplication();
var rep = new T
{
CName = cname,
CRealm = request.RealmName,
MessageType = MessageType.KRB_AS_REP,
Ticket = ticket,
EncPart = KrbEncryptedData.Encrypt(
encKdcRepPart.EncodeApplication(),
request.EncryptedPartKey,
encKdcRepPart.KeyUsage
)
};
return(rep);
}
private static ServiceTicketRequest GenerateServiceTicket <T>(
ServiceTicketRequest request,
out KrbEncTicketPart encTicketPart,
out KrbTicket ticket,
out KrbEncKdcRepPart encKdcRepPart,
out KeyUsage keyUsage,
out MessageType messageType
)
where T : KrbKdcRep, new()
{
if (request.Principal == null)
{
throw new InvalidOperationException("A Principal identity must be provided");
}
if (request.ServicePrincipal == null)
{
throw new InvalidOperationException("A service principal must be provided");
}
if (request.ServicePrincipalKey == null)
{
throw new InvalidOperationException("A service principal key must be provided");
}
var authz = GenerateAuthorizationData(request);
var sessionKey = KrbEncryptionKey.Generate(request.PreferredClientEType ?? request.ServicePrincipalKey.EncryptionType);
encTicketPart = CreateEncTicketPart(request, authz.ToArray(), sessionKey);
bool appendRealm = false;
if (request.ServicePrincipal.PrincipalName.Contains("/"))
{
appendRealm = true;
}
ticket = new KrbTicket()
{
Realm = request.RealmName,
SName = KrbPrincipalName.FromPrincipal(
request.ServicePrincipal,
PrincipalNameType.NT_SRV_INST,
appendRealm ? null : request.RealmName
),
EncryptedPart = KrbEncryptedData.Encrypt(
encTicketPart.EncodeApplication(),
request.ServicePrincipalKey,
KeyUsage.Ticket
)
};
if (typeof(T) == typeof(KrbAsRep))
{
encKdcRepPart = new KrbEncAsRepPart();
keyUsage = KeyUsage.EncAsRepPart;
messageType = MessageType.KRB_AS_REP;
}
else if (typeof(T) == typeof(KrbTgsRep))
{
encKdcRepPart = new KrbEncTgsRepPart();
keyUsage = request.EncryptedPartKey?.Usage ?? KeyUsage.EncTgsRepPartSessionKey;
messageType = MessageType.KRB_TGS_REP;
}
else
{
throw new InvalidOperationException($"Requested Service Ticket type is neither KrbAsRep nor KrbTgsRep. Type: {typeof(T)}");
}
encKdcRepPart.AuthTime = encTicketPart.AuthTime;
encKdcRepPart.StartTime = encTicketPart.StartTime;
encKdcRepPart.EndTime = encTicketPart.EndTime;
encKdcRepPart.RenewTill = encTicketPart.RenewTill;
encKdcRepPart.KeyExpiration = request.Principal.Expires;
encKdcRepPart.Realm = request.RealmName;
encKdcRepPart.SName = ticket.SName;
encKdcRepPart.Flags = encTicketPart.Flags;
encKdcRepPart.CAddr = encTicketPart.CAddr;
encKdcRepPart.Key = sessionKey;
encKdcRepPart.Nonce = request.Nonce;
encKdcRepPart.LastReq = new[] { new KrbLastReq {
Type = 0, Value = request.Now
} };
encKdcRepPart.EncryptedPaData = new KrbMethodData
{
MethodData = new[]
{
new KrbPaData
{
Type = PaDataType.PA_SUPPORTED_ETYPES,
Value = request.Principal.SupportedEncryptionTypes.AsReadOnly(littleEndian: true).AsMemory()
}
}
};
return(request);
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbEncTicketPart, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
AsnReader collectionReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (explicitReader.TryReadPrimitiveBitStringValue(out _, out ReadOnlyMemory <byte> tmpFlags))
{
decoded.Flags = (TicketFlags)tmpFlags.AsLong();
}
else
{
decoded.Flags = (TicketFlags)explicitReader.ReadBitString(out _).AsLong();
}
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbEncryptionKey.Decode <KrbEncryptionKey>(explicitReader, out decoded.Key);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out decoded.CName);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
KrbTransitedEncoding.Decode <KrbTransitedEncoding>(explicitReader, out decoded.Transited);
explicitReader.ThrowIfNotEmpty();
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 5));
decoded.AuthTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 6)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 6));
decoded.StartTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 7));
decoded.EndTime = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 8)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 8));
decoded.RenewTill = explicitReader.ReadGeneralizedTime();
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 9)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 9));
// Decode SEQUENCE OF for CAddr
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbHostAddress>();
KrbHostAddress tmpItem;
while (collectionReader.HasData)
{
KrbHostAddress.Decode <KrbHostAddress>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.CAddr = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 10)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 10));
// Decode SEQUENCE OF for AuthorizationData
{
collectionReader = explicitReader.ReadSequence();
var tmpList = new List <KrbAuthorizationData>();
KrbAuthorizationData tmpItem;
while (collectionReader.HasData)
{
KrbAuthorizationData.Decode <KrbAuthorizationData>(collectionReader, out tmpItem);
tmpList.Add(tmpItem);
}
decoded.AuthorizationData = tmpList.ToArray();
}
explicitReader.ThrowIfNotEmpty();
}
sequenceReader.ThrowIfNotEmpty();
}
internal static void Decode <T>(AsnReader reader, Asn1Tag expectedTag, out T decoded)
where T : KrbS4uUserId, new()
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
decoded = new T();
AsnReader sequenceReader = reader.ReadSequence(expectedTag);
AsnReader explicitReader;
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (!explicitReader.TryReadInt32(out int tmpNonce))
{
explicitReader.ThrowIfNotEmpty();
}
decoded.Nonce = tmpNonce;
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 1)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
KrbPrincipalName.Decode <KrbPrincipalName>(explicitReader, out KrbPrincipalName tmpCName);
decoded.CName = tmpCName;
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
explicitReader.ThrowIfNotEmpty();
if (sequenceReader.HasData && sequenceReader.PeekTag().HasSameClassAndValue(new Asn1Tag(TagClass.ContextSpecific, 3)))
{
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 3));
if (explicitReader.TryReadPrimitiveOctetStringBytes(out ReadOnlyMemory <byte> tmpSubjectCertificate))
{
decoded.SubjectCertificate = tmpSubjectCertificate;
}
else
{
decoded.SubjectCertificate = explicitReader.ReadOctetString();
}
explicitReader.ThrowIfNotEmpty();
}
explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 4));
if (explicitReader.TryReadPrimitiveBitStringValue(out _, out ReadOnlyMemory <byte> tmpOptions))
{
decoded.Options = (S4uOptions)tmpOptions.AsLong();
}
else
{
decoded.Options = (S4uOptions)explicitReader.ReadBitString(out _).AsLong();
}
explicitReader.ThrowIfNotEmpty();
sequenceReader.ThrowIfNotEmpty();
}
