pkinit

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2025 License: MIT Imports: 32 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// DiffieHellmanPrime is the Diffie Hellman prime (P) that is acccepted by PKINIT.
	DiffieHellmanPrime = big.NewInt(0)
	// DiffieHellmanPrime is the Diffie Hellman base (G) that is acccepted by PKINIT.
	DiffieHellmanBase = big.NewInt(2)
)
View Source 
var DefaultKerberosRoundtripDeadline = 5 * time.Second

DefaultKerberosRoundtripDeadline is the maximum time a roundtrip with the KDC can take before it is aborted. This deadline is for each KDC that is considered.

Functions

func ASExchange 

func ASExchange(
	ctx context.Context, asReq messages.ASReq, domain string, config *config.Config,
	dialer ContextDialer, roundtripDeadline time.Duration,
) (asRep messages.ASRep, err error)

ASExchange sends a ASReq to the KDC for the provided domain and returns the ASRep.

func Authenticate 

func Authenticate(
	ctx context.Context, user string, domain string, cert *x509.Certificate, key *rsa.PrivateKey,
	krbConfig *config.Config, opts ...Option,
) (*credentials.CCache, error)

Authenticate obtains a ticket granting ticket using PKINIT and returns it in a CCache which can be serialized using ccachetools.MarshalCCache.

func ConfigureASReq 

func ConfigureASReq(
	asReq *messages.ASReq, cert *x509.Certificate, key *rsa.PrivateKey, dhKey *big.Int, dhClientNonce []byte,
) error

ConfigureASReq configures an ASReq for PKINIT.

func Decrypt 

func Decrypt(asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte) (pkinitKey types.EncryptionKey, err error)

Decrypt decrypts the encrypted parts of an ASRep with the key derived during PKINIT.

func DiffieHellmanPublicKey 

func DiffieHellmanPublicKey(privateKey *big.Int) *big.Int

DiffieHellmanPublicKey derives the Diffie Hellman public key from the provided private key with the parameters that are accepted by PKINIT.

func DiffieHellmanSharedSecret 

func DiffieHellmanSharedSecret(privateKey *big.Int, publicKey *big.Int) *big.Int

DiffieHellmanSharedSecret derives the Diffie Hellman shared secret with the parameters that are accepted by PKINIT.

func ExtractNegotiatedKey 

func ExtractNegotiatedKey(
	asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte,
) (ekey types.EncryptionKey, err error)

ExtractNegotiatedKey extracts the key derived during PKINIT.

func NewASReq 

func NewASReq(
	username string, domain string, cert *x509.Certificate, key *rsa.PrivateKey, dhKey *big.Int, config *config.Config,
) (asReq messages.ASReq, dhClientNonce []byte, err error)

NewASReq generates an ASReq configured for PKINIT.

func NewDiffieHellmanNonce 

func NewDiffieHellmanNonce() []byte

NewDiffieHellmanNonce generates a nonce for the Diffie Hellman key exchange.

func PKCS7Sign 

func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte, error)

PKCS7Sign signs the data according to PKCS#7.

func TGSExchange 

func TGSExchange(
	ctx context.Context, tgsReq messages.TGSReq, config *config.Config, domain string,
	dialer ContextDialer, roundtripDeadline time.Duration,
) (tgsRep messages.TGSRep, err error)

TGSExchange sends a TGSReq to the KDC for the provided domain and returns the TGSRep.

Types

type AlgorithmIdentifier 

type AlgorithmIdentifier struct {
	Algorithm  asn1.ObjectIdentifier `asn1:"implicit"`
	Parameters DomainParameters      `asn1:"implicit,optional"`
}

type Attribute 

type Attribute struct {
	Type  asn1.ObjectIdentifier
	Value asn1.RawValue `asn1:"set"`
}

type AuthPack 

type AuthPack struct {
	// AuthPack ::= SEQUENCE {
	// 	pkAuthenticator         [0] PKAuthenticator,
	// 	clientPublicValue       [1] SubjectPublicKeyInfo OPTIONAL,
	// 	supportedCMSTypes       [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
	// 	clientDHNonce           [3] DHNonce OPTIONAL,
	// 	...,
	// 	supportedKDFs		[4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
	// 	...
	// }
	PKAuthenticator   PKAuthenticator            `asn1:"tag:0,explicit"`
	ClientPublicValue SubjectPublicKeyInfo       `asn1:"tag:1,explicit,optional"`
	SupportedCMSTypes []pkix.AlgorithmIdentifier `asn1:"tag:2,explicit,optional"`
	ClientDHNonce     []byte                     `asn1:"tag:3,explicit,optional"`
}

type AuthoirzationData 

type AuthoirzationData []AuthoirzationDataElement

type AuthoirzationDataElement 

type AuthoirzationDataElement struct {
	ADType int    `asn1:"tag:0"`
	ADData []byte `asn1:"tag:1"`
}

type ContentInfo 

type ContentInfo struct {
	ContentType asn1.ObjectIdentifier
	Content     asn1.RawValue `asn1:"explicit,optional,tag:0"`
}

type ContextDialer 

type ContextDialer interface {
	DialContext(ctx context.Context, net string, addr string) (net.Conn, error)
}

ContextDialer is a context aware dialer such as net.Dialer or the SOCKS5 dialer returned by proxy.SOCKS5.

type DHRepInfo 

type DHRepInfo struct {
	DHSignedData  []byte `asn1:"tag:0"`
	ServerDHNonce []byte `asn1:"tag:1,explicit,optional"`
}

type DomainParameters 

type DomainParameters struct {
	// DomainParameters ::= SEQUENCE {
	// 	p       INTEGER, -- odd prime, p=jq +1
	// 	g       INTEGER, -- generator, g
	// 	q       INTEGER, -- factor of p-1
	// 	j       INTEGER OPTIONAL, -- subgroup factor
	// 	validationParams  ValidationParams OPTIONAL }
	P *big.Int
	G int
	Q int
}

type Hash 

type Hash struct {
	// contains filtered or unexported fields
}

Hash represents LM and NT password hashes.

func NewHash 

func NewHash(ntlmSupplementalCredential *pac.NTLMSupplementalCredential) (*Hash, error)

func UnPACTheHash 

func UnPACTheHash(
	ctx context.Context, user string, domain string, cert *x509.Certificate, key *rsa.PrivateKey,
	krbConfig *config.Config, opts ...Option,
) (*credentials.CCache, *Hash, error)

UnPACTheHash retrieves the user's NT hash via PKINIT using the provided certificates.

func UnPACTheHashFromPFX 

func UnPACTheHashFromPFX(
	ctx context.Context, username string, domain string, pfxFile string, pfxPassword string,
	dc string, opts ...Option,
) (*credentials.CCache, *Hash, error)

UnPACTheHash retrieves the user's NT hash via PKINIT using the provided PFX file. The DC argument is optional.

func UnPACTheHashFromPFXData 

func UnPACTheHashFromPFXData(
	ctx context.Context, username string, domain string, pfxData []byte, pfxPassword string,
	dc string, opts ...Option,
) (*credentials.CCache, *Hash, error)

UnPACTheHash retrieves the user's NT hash via PKINIT using the provided PFX data. The DC argument is optional.

func (*Hash) Combined 

func (h *Hash) Combined() string

Combined returns the hex-encoded hashes in LM:NT format. If any of these hashes is not present, they are replaced by their respective empty hash value.

func (*Hash) Empty 

func (h *Hash) Empty() bool

Empty returns true if the structure contains neither LM nor NT hash data.

func (*Hash) LM 

func (h *Hash) LM() string

LM returns the hex-encoded LM hash or an empty string if no LM hash is present.

func (*Hash) LMBytes 

func (h *Hash) LMBytes() []byte

LMBytes returns the binary LM hash or an empty slice if no LM hash is present.

func (*Hash) LMPresent 

func (h *Hash) LMPresent() bool

LMPresent indicates whether or not an LM hash is present.

func (*Hash) NT 

func (h *Hash) NT() string

NT returns the hex-encoded NT hash or an empty string if no NT hash is present.

func (*Hash) NTBytes 

func (h *Hash) NTBytes() []byte

NTBytes returns the binary NT hash or an empty slice if no NT hash is present.

func (*Hash) NTPresent 

func (h *Hash) NTPresent() bool

NTPresent indicates whether or not an NT hash is present.

type IssuerAndSerial 

type IssuerAndSerial struct {
	IssuerName   asn1.RawValue
	SerialNumber *big.Int
}

type KDCDHKeyInfo 

type KDCDHKeyInfo struct {
	SubjectPublicKey asn1.BitString `asn1:"tag:0,explicit"`
	Nonce            *big.Int       `asn1:"tag:1,explicit"`
	DHKeyExpication  time.Time      `asn1:"tag:2,explicit,optional,generalized"`
}

type Option 

type Option interface {
	// contains filtered or unexported methods
}

Option can be passed to a function to modify the default behavior.

func WithDialer 

func WithDialer(dialer ContextDialer) Option

WithDialer can be used to set a custom dialer for communication with a DC.

func WithRoundtripDeadline 

func WithRoundtripDeadline(deadline time.Duration) Option

WithRoundtripDeadline can be used to set a deadline for a single request-response roundtrip with a single KDC.

type PAPACRequest 

type PAPACRequest struct {
	IncludePAC bool `asn1:"explicit,tag:0"`
}

func (*PAPACRequest) AsPAData 

func (p *PAPACRequest) AsPAData() types.PAData

type PAPKASRep 

type PAPKASRep struct {
	DHInfo asn1.RawValue
}

type PKAuthenticator 

type PKAuthenticator struct {
	// PKAuthenticator ::= SEQUENCE {
	// 	cusec                   [0] INTEGER -- (0..999999) --,
	// 	ctime                   [1] KerberosTime,
	// 	nonce                   [2] INTEGER (0..4294967295),
	// 	paChecksum              [3] OCTET STRING OPTIONAL,
	// 	...
	// asn1
	CUSec    int       `asn1:"tag:0,explicit"`
	CTime    time.Time `asn1:"tag:1,explicit,generalized"`
	Nonce    int       `asn1:"tag:2,explicit"`
	Checksum []byte    `asn1:"tag:3,explicit,optional"`
}

type RawCertificates 

type RawCertificates struct {
	Raw asn1.RawContent
}

func RawCertificate 

func RawCertificate(cert *x509.Certificate) (RawCertificates, error)

type SignedData 

type SignedData struct {
	Version                    int                        `asn1:"default:1"`
	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
	ContentInfo                ContentInfo
	Certificates               RawCertificates       `asn1:"optional,tag:0"`
	CRLs                       []x509.RevocationList `asn1:"optional,tag:1"`
	SignerInfos                []SignerInfo          `asn1:"set"`
}

type SignerInfo 

type SignerInfo struct {
	Version                   int `asn1:"default:1"`
	IssuerAndSerialNumber     IssuerAndSerial
	DigestAlgorithm           pkix.AlgorithmIdentifier
	AuthenticatedAttributes   []Attribute `asn1:"optional,omitempty,tag:0"`
	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedDigest           []byte
	UnauthenticatedAttributes []pkix.AttributeTypeAndValue `asn1:"optional,omitempty,tag:1"`
}

type SubjectPublicKeyInfo 

type SubjectPublicKeyInfo struct {
	// SubjectPublicKeyInfo  ::=  SEQUENCE  {
	// 	algorithm            AlgorithmIdentifier{PUBLIC-KEY,
	// 							{PublicKeyAlgorithms}},
	// 	subjectPublicKey     BIT STRING  }
	Algorithm AlgorithmIdentifier
	PublicKey asn1.BitString
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.