Skip to content

Commit 9a25b0d

Browse files
committed
Add key lookup for PAC signatures too
1 parent 4f29250 commit 9a25b0d

2 files changed

Lines changed: 44 additions & 7 deletions

File tree

Kerberos.NET/Crypto/KeyTable.cs

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -76,16 +76,21 @@ public void Write(BinaryWriter writer)
7676

7777
public ICollection<KeyEntry> Entries => this.entries ??= new List<KeyEntry>();
7878

79-
public KerberosKey GetKey(ChecksumType type, KrbPrincipalName sname)
80-
{
81-
var etype = type switch
79+
private static EncryptionType EncryptionTypeForChecksumType(ChecksumType type)
80+
=> type switch
8281
{
8382
ChecksumType.HMAC_SHA1_96_AES128 => EncryptionType.AES128_CTS_HMAC_SHA1_96,
8483
ChecksumType.HMAC_SHA1_96_AES256 => EncryptionType.AES256_CTS_HMAC_SHA1_96,
84+
ChecksumType.HMAC_SHA256_128_AES128 => EncryptionType.AES128_CTS_HMAC_SHA256_128,
85+
ChecksumType.HMAC_SHA384_192_AES256 => EncryptionType.AES256_CTS_HMAC_SHA384_192,
8586
_ => EncryptionType.RC4_HMAC_NT,
8687
};
87-
return this.GetKey(etype, sname);
88-
}
88+
89+
public IEnumerable<KerberosKey> GetKeys(ChecksumType type, KrbPrincipalName sname)
90+
=> this.GetKeys(EncryptionTypeForChecksumType(type), sname);
91+
92+
public KerberosKey GetKey(ChecksumType type, KrbPrincipalName sname)
93+
=> this.GetKey(EncryptionTypeForChecksumType(type), sname);
8994

9095
public IEnumerable<KerberosKey> GetKeys(EncryptionType type, KrbPrincipalName sname)
9196
{

Kerberos.NET/Entities/Pac/PacSignature.cs

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,10 @@
44
// -----------------------------------------------------------------------
55

66
using System;
7+
using System.Linq;
78
using System.Runtime.InteropServices;
9+
using System.Security.Cryptography;
10+
using System.Security;
811
using Kerberos.NET.Crypto;
912
using Kerberos.NET.Ndr;
1013

@@ -113,9 +116,38 @@ public void Validate(KerberosKey key)
113116

114117
internal void Validate(KeyTable keytab, KrbPrincipalName sname)
115118
{
116-
var key = keytab.GetKey(this.Type, sname);
119+
var keys = keytab.GetKeys(this.Type, sname);
117120

118-
this.Validate(key);
121+
if (!keys.Any())
122+
{
123+
throw new InvalidOperationException($"Could not find a key for {this.Type} and {sname.FullyQualifiedName}");
124+
}
125+
126+
Exception ex = null;
127+
128+
foreach (var key in keys)
129+
{
130+
try
131+
{
132+
this.Validate(key);
133+
return;
134+
}
135+
catch (CryptographicException cex)
136+
{
137+
ex = cex;
138+
continue;
139+
}
140+
catch (SecurityException secx)
141+
{
142+
ex = secx;
143+
continue;
144+
}
145+
}
146+
147+
if (ex != null)
148+
{
149+
throw ex;
150+
}
119151
}
120152

121153
internal void Sign(Memory<byte> pacUnsigned, KerberosKey key)

0 commit comments

Comments
 (0)