Reworked decryption to be more generic.

Author: tyranid

NtApiDotNet/NtApiDotNet.csproj

@@ -322,6 +322,7 @@
     <Compile Include="Win32\SafeHandles\SafeLsaLogonHandle.cs" />
     <Compile Include="Utilities\ASN1\DERParser.cs" />
     <Compile Include="Win32\Security\Authentication\ASN1AuthenticationToken.cs" />
+    <Compile Include="Win32\Security\Authentication\AuthenticationKey.cs" />
     <Compile Include="Win32\Security\Authentication\GSSAPIUtils.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosAPReplyEncryptedPart.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosAuthorizationDataPACDevice.cs" />
@@ -354,7 +355,7 @@
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosErrorAuthenticationToken.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosTGTRequestAuthenticationToken.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosAuthenticationToken.cs" />
-    <Compile Include="Win32\Security\Authentication\Kerberos\KerberosKey.cs" />
+    <Compile Include="Win32\Security\Authentication\Kerberos\KerberosAuthenticationKey.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosTGTReplyAuthenticationToken.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosTicket.cs" />
     <Compile Include="Win32\Security\Authentication\Kerberos\KerberosUtils.cs" />

NtApiDotNet/Win32/Security/Authentication/AuthenticationKey.cs

@@ -0,0 +1,29 @@
+//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace NtApiDotNet.Win32.Security.Authentication
+{
+    /// <summary>
+    /// Base class which represents an authentication key.
+    /// </summary>
+    public abstract class AuthenticationKey
+    {
+    }
+}

NtApiDotNet/Win32/Security/Authentication/AuthenticationToken.cs

@@ -16,6 +16,7 @@
 using NtApiDotNet.Win32.Security.Authentication.Kerberos;
 using NtApiDotNet.Win32.Security.Authentication.Negotiate;
 using NtApiDotNet.Win32.Security.Authentication.Ntlm;
+using System.Collections.Generic;
 
 namespace NtApiDotNet.Win32.Security.Authentication
 {
@@ -26,6 +27,16 @@ public class AuthenticationToken
     {
         private readonly byte[] _data;
 
+        /// <summary>
+        /// Decrypt the Authentication Token using a keyset.
+        /// </summary>
+        /// <param name="keyset">The set of keys to decrypt the </param>
+        /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
+        public virtual AuthenticationToken Decrypt(IEnumerable<AuthenticationKey> keyset)
+        {
+            return this;
+        }
+
         /// <summary>
         /// Convert the authentication token to a byte array.
         /// </summary>

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAPReplyAuthenticationToken.cs

@@ -13,7 +13,9 @@
 //  limitations under the License.
 
 using NtApiDotNet.Utilities.ASN1;
+using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 
 namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
@@ -52,10 +54,11 @@ public override string Format()
         /// </summary>
         /// <param name="keyset">The set of keys to decrypt the </param>
         /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
-        public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
+        public override AuthenticationToken Decrypt(IEnumerable<AuthenticationKey> keyset)
         {
             KerberosEncryptedData encrypted_part = null;
-            if (EncryptedPart.Decrypt(keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
+            KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.OfType<KerberosAuthenticationKey>());
+            if (EncryptedPart.Decrypt(tmp_keyset, string.Empty, new KerberosPrincipalName(), KeyUsage.ApRepEncryptedPart, out byte[] auth_decrypt))
             {
                 if (!KerberosAPReplyEncryptedPart.Parse(EncryptedPart, auth_decrypt, out encrypted_part))
                 {

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAPReplyEncryptedPart.cs

@@ -35,7 +35,7 @@ public class KerberosAPReplyEncryptedPart : KerberosEncryptedData
         /// <summary>
         /// Subkey.
         /// </summary>
-        public KerberosKey SubKey { get; private set; }
+        public KerberosAuthenticationKey SubKey { get; private set; }
         /// <summary>
         /// Sequence number.
         /// </summary>
@@ -99,7 +99,7 @@ internal static bool Parse(KerberosEncryptedData orig_data, byte[] decrypted, ou
                         case 2:
                             if (!next.HasChildren())
                                 return false;
-                            ret.SubKey = KerberosKey.Parse(next.Children[0], string.Empty, new KerberosPrincipalName());
+                            ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], string.Empty, new KerberosPrincipalName());
                             break;
                         case 3:
                             ret.SequenceNumber = next.ReadChildInteger();

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAPRequestAuthenticationToken.cs

@@ -14,7 +14,9 @@
 
 using NtApiDotNet.Utilities.ASN1;
 using System;
+using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 
 namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
@@ -90,19 +92,19 @@ public override string Format()
         /// </summary>
         /// <param name="keyset">The set of keys to decrypt the </param>
         /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
-        public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
+        public override AuthenticationToken Decrypt(IEnumerable<AuthenticationKey> keyset)
         {
             KerberosEncryptedData authenticator = null;
 
-            KerberosKeySet tmp_keys = new KerberosKeySet(keyset);
+            KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType<KerberosAuthenticationKey>());
             if (!Ticket.Decrypt(tmp_keys, KeyUsage.AsRepTgsRepTicket, out KerberosTicket ticket))
             {
                 ticket = null;
             }
 
             if (Authenticator.Decrypt(tmp_keys, Ticket.Realm, Ticket.ServerName, KeyUsage.ApReqAuthSubKey, out byte[] auth_decrypt))
             {
-                if (!KerberosAuthenticator.Parse(Ticket, Authenticator, auth_decrypt, keyset, out authenticator))
+                if (!KerberosAuthenticator.Parse(Ticket, Authenticator, auth_decrypt, tmp_keys, out authenticator))
                 {
                     authenticator = null;
                 }

…y/Authentication/Kerberos/KerberosKey.cs …on/Kerberos/KerberosAuthenticationKey.csNtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosKey.cs renamed to NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticationKey.cs NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosKey.cs renamed to NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticationKey.cs

@@ -26,7 +26,7 @@ namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
     /// <summary>
     /// A single kerberos key.
     /// </summary>
-    public sealed class KerberosKey
+    public sealed class KerberosAuthenticationKey : AuthenticationKey
     {
         private readonly byte[] _key;
 
@@ -73,7 +73,7 @@ public sealed class KerberosKey
         /// <param name="components">The name components for the key.</param>
         /// <param name="timestamp">Timestamp when key was created.</param>
         /// <param name="version">Key Version Number (KVNO).</param>
-        public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type, 
+        public KerberosAuthenticationKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type, 
             string realm, string[] components, DateTime timestamp, uint version)
         {
             KeyEncryption = key_encryption;
@@ -95,7 +95,7 @@ public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNa
         /// <param name="components">The name components for the key.</param>
         /// <param name="timestamp">Timestamp when key was created.</param>
         /// <param name="version">Key Version Number (KVNO).</param>
-        public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type,
+        public KerberosAuthenticationKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type,
             string realm, IEnumerable<string> components, DateTime timestamp, uint version)
         {
             KeyEncryption = key_encryption;
@@ -116,7 +116,7 @@ public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNa
         /// <param name="principal">Principal for key, in form TYPE/name@realm.</param>
         /// <param name="timestamp">Timestamp when key was created.</param>
         /// <param name="version">Key Version Number (KVNO).</param>
-        public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type,
+        public KerberosAuthenticationKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNameType name_type,
             string principal, DateTime timestamp, uint version)
             : this(key_encryption, key, name_type, GetRealm(principal),
                   GetComponents(principal), timestamp, version)
@@ -132,7 +132,7 @@ public KerberosKey(KerberosEncryptionType key_encryption, byte[] key, KerberosNa
         /// <param name="principal">Principal for key, in form TYPE/name@realm.</param>
         /// <param name="timestamp">Timestamp when key was created.</param>
         /// <param name="version">Key Version Number (KVNO).</param>
-        public KerberosKey(KerberosEncryptionType key_encryption, string key, KerberosNameType name_type,
+        public KerberosAuthenticationKey(KerberosEncryptionType key_encryption, string key, KerberosNameType name_type,
             string principal, DateTime timestamp, uint version)
             : this(key_encryption, GetKey(key), name_type, principal, timestamp, version)
         {
@@ -150,7 +150,7 @@ public KerberosKey(KerberosEncryptionType key_encryption, string key, KerberosNa
         /// <param name="salt">Salt for the key.</param>
         /// <param name="version">Key Version Number (KVNO).</param>
         /// <returns></returns>
-        public static KerberosKey DeriveKey(KerberosEncryptionType key_encryption, string password, 
+        public static KerberosAuthenticationKey DeriveKey(KerberosEncryptionType key_encryption, string password, 
             int iterations, KerberosNameType name_type, string principal, string salt, uint version)
         {
             if (principal is null)
@@ -178,10 +178,10 @@ public static KerberosKey DeriveKey(KerberosEncryptionType key_encryption, strin
                     throw new ArgumentException($"Unsupported key type {key_encryption}", nameof(key_encryption));
             }
 
-            return new KerberosKey(key_encryption, key, name_type, principal, DateTime.Now, version);
+            return new KerberosAuthenticationKey(key_encryption, key, name_type, principal, DateTime.Now, version);
         }
 
-        internal static KerberosKey Parse(DERValue value, string realm, KerberosPrincipalName name)
+        internal static KerberosAuthenticationKey Parse(DERValue value, string realm, KerberosPrincipalName name)
         {
             if (!value.CheckSequence())
                 throw new InvalidDataException();
@@ -206,7 +206,7 @@ internal static KerberosKey Parse(DERValue value, string realm, KerberosPrincipa
 
             if (enc_type == 0 || key == null)
                 throw new InvalidDataException();
-            return new KerberosKey(enc_type, key, name.NameType, realm, name.Names.ToArray(), DateTime.Now, 0);
+            return new KerberosAuthenticationKey(enc_type, key, name.NameType, realm, name.Names.ToArray(), DateTime.Now, 0);
         }
 
         private static string MakeSalt(string salt, string principal)

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticationToken.cs

@@ -59,18 +59,6 @@ public static KerberosAuthenticationToken Parse(byte[] data)
         }
         #endregion
 
-        #region Public Methods
-        /// <summary>
-        /// Decrypt the Authentication Token using a keyset.
-        /// </summary>
-        /// <param name="keyset">The set of keys to decrypt the </param>
-        /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
-        public virtual KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
-        {
-            return this;
-        }
-        #endregion
-
         #region Internal Static Methods
         /// <summary>
         /// Try and parse data into an Kerberos authentication token.

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosAuthenticator.cs

@@ -52,7 +52,7 @@ public class KerberosAuthenticator : KerberosEncryptedData
         /// <summary>
         /// Subkey.
         /// </summary>
-        public KerberosKey SubKey { get; private set; }
+        public KerberosAuthenticationKey SubKey { get; private set; }
         /// <summary>
         /// Sequence number.
         /// </summary>
@@ -149,7 +149,7 @@ internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData ori
                         case 6:
                             if (!next.HasChildren())
                                 return false;
-                            ret.SubKey = KerberosKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
+                            ret.SubKey = KerberosAuthenticationKey.Parse(next.Children[0], orig_ticket.Realm, orig_ticket.ServerName);
                             break;
                         case 7:
                             ret.SequenceNumber = next.ReadChildInteger();
@@ -166,7 +166,7 @@ internal static bool Parse(KerberosTicket orig_ticket, KerberosEncryptedData ori
 
                 if (ret.Checksum is KerberosChecksumGSSApi gssapi && gssapi.Credentials != null)
                 {
-                    KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosKey[0]);
+                    KerberosKeySet tmp_keyset = new KerberosKeySet(keyset.AsEnumerable() ?? new KerberosAuthenticationKey[0]);
                     if (ret.SubKey != null)
                     {
                         tmp_keyset.Add(ret.SubKey);

NtApiDotNet/Win32/Security/Authentication/Kerberos/KerberosCredential.cs

@@ -15,6 +15,7 @@
 using NtApiDotNet.Utilities.ASN1;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text;
 
 namespace NtApiDotNet.Win32.Security.Authentication.Kerberos
@@ -63,10 +64,10 @@ public override string Format()
         /// </summary>
         /// <param name="keyset">The set of keys to decrypt the </param>
         /// <returns>The decrypted token, or the same token if nothing could be decrypted.</returns>
-        public override KerberosAuthenticationToken Decrypt(KerberosKeySet keyset)
+        public override AuthenticationToken Decrypt(IEnumerable<AuthenticationKey> keyset)
         {
             KerberosEncryptedData encdata = null;
-            KerberosKeySet tmp_keys = new KerberosKeySet(keyset);
+            KerberosKeySet tmp_keys = new KerberosKeySet(keyset.OfType<KerberosAuthenticationKey>());
             List<KerberosTicket> dec_tickets = new List<KerberosTicket>();
             bool decrypted_ticket = false;
             foreach (var ticket in Tickets)