public KerberosArmoredRequest(IFastArmor fastArmor, Checksum checkSum, EncryptedData encFastReq)
{
FastArmor = fastArmor;
CheckSum = checkSum;
ArmorKey = null;
EType = (long) encFastReq.etype.Value;
EncFastReq = encFastReq;
}
public KerberosArmoredRequest(IFastArmor fastArmor, Checksum checkSum, long etype, byte[] armorKey, KerberosFastRequest fastReq)
{
FastArmor = fastArmor;
CheckSum = checkSum;
ArmorKey = armorKey;
EType = etype;
FastReq = fastReq;
}
public KrbFastArmoredReq(
KrbFastArmor param0,
Checksum param1,
EncryptedData param2)
{
this.armor = param0;
this.req_checksum = param1;
this.enc_fast_req = param2;
}
public AD_KDCIssued(
Checksum param0,
Realm param1,
PrincipalName param2,
AuthorizationData param3)
{
this.ad_checksum = param0;
this.i_realm = param1;
this.i_sname = param2;
this.elements = param3;
}
public KRB_SAFE(
Asn1Integer param0,
Asn1Integer param1,
KRB_SAFE_BODY param2,
Checksum param3)
{
this.pvno = param0;
this.msg_type = param1;
this.safe_body = param2;
this.cksum = param3;
}
public KrbFastFinished(
KerberosTime param0,
Microseconds param1,
Realm param2,
PrincipalName param3,
Checksum param4)
{
this.timestamp = param0;
this.usec = param1;
this.crealm = param2;
this.cname = param3;
this.ticket_checksum = param4;
}
public Authenticator(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
Checksum param3,
Microseconds param4,
KerberosTime param5,
EncryptionKey param6,
KerbUInt32 param7,
AuthorizationData param8)
{
this.authenticator_vno = param0;
this.crealm = param1;
this.cname = param2;
this.cksum = param3;
this.cusec = param4;
this.ctime = param5;
this.subkey = param6;
this.seq_number = param7;
this.authorization_data = param8;
}
public void KrbFastFinishedTgsRep()
{
base.Logging();
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.ClientComputer.NetBiosName,
this.testConfig.LocalRealm.ClientComputer.Password,
KerberosAccountType.Device,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid,
testConfig.LocalRealm.ClientComputer.AccountSalt);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// AS_REQ and KRB-ERROR using device principal
KdcOptions options = KdcOptions.FORWARDABLE | KdcOptions.CANONICALIZE | KdcOptions.RENEWABLE;
client.SendAsRequest(options, null);
METHOD_DATA methodData;
KerberosKrbError krbError1 = client.ExpectPreauthRequiredError(out methodData);
// AS_REQ and AS_REP using device principal
string timeStamp = KerberosUtility.CurrentKerberosTime.Value;
PaEncTimeStamp paEncTimeStamp = new PaEncTimeStamp(
timeStamp,
0,
client.Context.SelectedEType,
this.client.Context.CName.Password,
this.client.Context.CName.Salt);
Asn1SequenceOf<PA_DATA> seqOfPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp.Data });
client.SendAsRequest(options, seqOfPaData);
KerberosAsResponse asResponse = client.ExpectAsResponse();
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", asResponse.EncPart.GetType().Name));
// Switch to user principal
client = new KerberosTestClient(
this.testConfig.LocalRealm.RealmName,
this.testConfig.LocalRealm.User[1].Username,
this.testConfig.LocalRealm.User[1].Password,
KerberosAccountType.User,
client.Context.Ticket,
client.Context.SessionKey,
testConfig.LocalRealm.KDC[0].IPAddress,
testConfig.LocalRealm.KDC[0].Port,
testConfig.TransportType,
testConfig.SupportedOid);
// Kerberos Proxy Service is used
if (this.testConfig.UseProxy)
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Initialize KKDCP Client .");
KKDCPClient proxyClient = new KKDCPClient(proxyClientConfig);
proxyClient.TargetDomain = this.testConfig.LocalRealm.RealmName;
client.UseProxy = true;
client.ProxyClient = proxyClient;
}
// FAST armored AS_REQ and KRB-ERROR using user principal
//Create a "random" key.
var subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password02!", "this is a salt");
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(KerberosUtility.ConvertInt2Flags((int)0));
var apOptions = ApOptions.None;
Asn1SequenceOf<PA_DATA> seqOfPaData2 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { new PA_DATA(new KerbInt32((long)PaDataType.PA_FX_FAST), null) });
client.SendAsRequestWithFast(options, seqOfPaData2, null, subkey, fastOptions, apOptions);
KerberosKrbError krbError2 = client.ExpectKrbError();
BaseTestSite.Assert.AreEqual(krbError2.ErrorCode, KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED, "Pre-authentication required.");
// FAST armored AS_REQ and AS_REP using user principal
var userKey = KerberosUtility.MakeKey(
client.Context.SelectedEType,
client.Context.CName.Password,
client.Context.CName.Salt);
PaEncryptedChallenge paEncTimeStamp3 = new PaEncryptedChallenge(
client.Context.SelectedEType,
KerberosUtility.CurrentKerberosTime.Value,
0,
client.Context.FastArmorkey,
userKey);
Asn1SequenceOf<PA_DATA> seqOfPaData3 = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paEncTimeStamp3.Data });
client.SendAsRequestWithFast(options, seqOfPaData3, null, subkey, fastOptions, apOptions);
KerberosAsResponse userKrbAsRep = client.ExpectAsResponse();
BaseTestSite.Log.Add(
LogEntryKind.Comment,
string.Format("The type of AS-REP encrypted part is {0}.", userKrbAsRep.EncPart.GetType().Name));
// FAST armored TGS_REQ and TGS_REP using user principal
subkey = KerberosUtility.MakeKey(client.Context.SelectedEType, "Password03!", "this is a salt");
client.SendTgsRequestWithFast(testConfig.LocalRealm.ClientComputer.DefaultServiceName, options, null, null, subkey, fastOptions, apOptions);
KerberosTgsResponse userKrbTgsRep = client.ExpectTgsResponse(KeyUsageNumber.TGS_REP_encrypted_part_subkey);
BaseTestSite.Assert.IsNotNull(userKrbTgsRep.EncPart, "The encrypted part of TGS-REP is decrypted.");
//Verify KrbFastFinished.
KrbFastFinished fastFinishedTgs = null;
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata, "The padata of AS-REP is not null.");
BaseTestSite.Assert.IsNotNull(userKrbAsRep.Response.padata.Elements, "The padata of AS-REP is not empty.");
foreach (PA_DATA paData in userKrbTgsRep.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
var kerbFastRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(client.Context.FastArmorkey);
fastFinishedTgs = kerbFastRep.FastResponse.finished;
break;
}
}
BaseTestSite.Assert.IsNotNull(fastFinishedTgs, "The finished field contains a KrbFastFinished structure.");
Asn1BerEncodingBuffer buf2 = new Asn1BerEncodingBuffer();
userKrbTgsRep.Response.ticket.BerEncode(buf2);
Checksum ticketChecksumTgs = new Checksum(new KerbInt32((long)KerberosUtility.GetChecksumType(client.Context.SelectedEType)), new Asn1OctetString(KerberosUtility.GetChecksum(
client.Context.FastArmorkey.keyvalue.ByteArrayValue,
buf2.Data,
(int)KeyUsageNumber.FAST_FINISHED,
KerberosUtility.GetChecksumType(client.Context.SelectedEType))));
BaseTestSite.Assert.IsTrue(
KerberosUtility.CompareChecksum(fastFinishedTgs.ticket_checksum, ticketChecksumTgs),
"The ticket checksum is correct.");
}
public PaFxFastReq CreateTgsPaFxFast(
EncryptionKey armorKey,
KerberosTicket armorTicket,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
byte[] apReq,
IFastArmor armor = null
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
//Generate checksum
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey.keyvalue.ByteArrayValue,
apReq,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
public PaFxFastReq CreateAsPaFxFast(
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
KDC_REQ_BODY kdcReqBody,
KrbFastArmorType armorType
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
var armorKey = KerberosUtility.MakeArmorKey(
Context.SelectedEType,
subKey.keyvalue.ByteArrayValue,
Context.ArmorSessionKey.keyvalue.ByteArrayValue);
Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey));
Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(encodebuf);
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey,
encodebuf.Data,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request);
fastArmor.armorType = armorType;
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
