Coverage for /root/GitHubProjects/impacket/impacket/krb5/asn1.py : 91%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Impacket - Collection of Python classes for working with network protocols.
2#
3# SECUREAUTH LABS. Copyright (C) 2021 SecureAuth Corporation. All rights reserved.
4#
5# This software is provided under a slightly modified version
6# of the Apache Software License. See the accompanying LICENSE file
7# for more information.
8#
9# Description:
10# Changed some of the classes names to match the RFC 4120
11# Added [MS-KILE] data
12# Adapted to Enum
13#
14# Author:
15# Altered source by Alberto Solino (@agsolino)
16#
17# Copyright and license note from asn1.py:
18#
19# Copyright (c) 2013, Marc Horowitz
20# All rights reserved.
21#
22# Redistribution and use in source and binary forms, with or without
23# modification, are permitted provided that the following conditions are
24# met:
25#
26# Redistributions of source code must retain the above copyright notice,
27# this list of conditions and the following disclaimer.
28#
29# Redistributions in binary form must reproduce the above copyright
30# notice, this list of conditions and the following disclaimer in the
31# documentation and/or other materials provided with the distribution.
32#
33# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
34# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
35# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
36# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
37# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
38# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
39# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
40# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
41# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
42# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
43# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
44#
45from pyasn1.type import tag, namedtype, univ, constraint, char, useful
47from . import constants
50def _application_tag(tag_value):
51 return univ.Sequence.tagSet.tagExplicitly(
52 tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed,
53 int(tag_value)))
55def _vno_component(tag_value, name="pvno"):
56 return _sequence_component(
57 name, tag_value, univ.Integer(),
58 subtypeSpec=constraint.ValueRangeConstraint(5, 5))
60def _msg_type_component(tag_value, values):
61 c = constraint.ConstraintsUnion(
62 *(constraint.SingleValueConstraint(int(v)) for v in values))
63 return _sequence_component('msg-type', tag_value, univ.Integer(),
64 subtypeSpec=c)
66def _sequence_component(name, tag_value, type, **subkwargs):
67 return namedtype.NamedType(name, type.subtype(
68 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
69 tag_value),
70 **subkwargs))
72def _sequence_optional_component(name, tag_value, type, **subkwargs):
73 return namedtype.OptionalNamedType(name, type.subtype(
74 explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
75 tag_value),
76 **subkwargs))
78def seq_set(seq, name, builder=None, *args, **kwargs):
79 component = seq.setComponentByName(name).getComponentByName(name)
80 if builder is not None:
81 seq.setComponentByName(name, builder(component, *args, **kwargs))
82 else:
83 seq.setComponentByName(name)
84 return seq.getComponentByName(name)
86def seq_set_dict(seq, name, pairs, *args, **kwargs):
87 component = seq.setComponentByName(name).getComponentByName(name)
88 for k, v in pairs.items():
89 component.setComponentByName(k, v)
91def seq_set_iter(seq, name, iterable):
92 component = seq.setComponentByName(name).getComponentByName(name)
93 for pos, v in enumerate(iterable):
94 component.setComponentByPosition(pos, v)
96def seq_set_flags(seq, name, flags):
97 seq_set(seq, name, flags.to_asn1)
99def seq_append(seq, name, pairs):
100 component = seq.getComponentByName(name)
101 if component is None:
102 component = seq.setComponentByName(name).getComponentByName(name)
103 index = len(component)
104 element = component.setComponentByPosition(index
105 ).getComponentByPosition(index)
106 for k, v in pairs.items():
107 element.setComponentByName(k, v)
109class Int32(univ.Integer):
110 subtypeSpec = univ.Integer.subtypeSpec + constraint.ValueRangeConstraint(
111 -2147483648, 2147483647)
113class UInt32(univ.Integer):
114 pass
115# subtypeSpec = univ.Integer.subtypeSpec + constraint.ValueRangeConstraint(
116# 0, 4294967295)
118class Microseconds(univ.Integer):
119 subtypeSpec = univ.Integer.subtypeSpec + constraint.ValueRangeConstraint(
120 0, 999999)
122class KerberosString(char.GeneralString):
123 # TODO marc: I'm not sure how to express this constraint in the API.
124 # For now, we will be liberal in what we accept.
125 # subtypeSpec = constraint.PermittedAlphabetConstraint(char.IA5String())
126 pass
128class Realm(KerberosString):
129 pass
131class PrincipalName(univ.Sequence):
132 componentType = namedtype.NamedTypes(
133 _sequence_component("name-type", 0, Int32()),
134 _sequence_component("name-string", 1,
135 univ.SequenceOf(componentType=KerberosString()))
136 )
138class KerberosTime(useful.GeneralizedTime):
139 pass
141class HostAddress(univ.Sequence):
142 componentType = namedtype.NamedTypes(
143 _sequence_component("addr-type", 0, Int32()),
144 _sequence_component("address", 1, univ.OctetString())
145 )
147class HostAddresses(univ.SequenceOf):
148 componentType = HostAddress()
150class AuthorizationData(univ.SequenceOf):
151 componentType = univ.Sequence(componentType=namedtype.NamedTypes(
152 _sequence_component('ad-type', 0, Int32()),
153 _sequence_component('ad-data', 1, univ.OctetString())
154 ))
156class PA_DATA(univ.Sequence):
157 componentType = namedtype.NamedTypes(
158 _sequence_component('padata-type', 1, Int32()),
159 _sequence_component('padata-value', 2, univ.OctetString())
160 )
162class KerberosFlags(univ.BitString):
163 # TODO marc: it doesn't look like there's any way to specify the
164 # SIZE (32.. MAX) parameter to the encoder. However, we can
165 # arrange at a higher layer to pass in >= 32 bits to the encoder.
166 pass
168class EncryptedData(univ.Sequence):
169 componentType = namedtype.NamedTypes(
170 _sequence_component("etype", 0, Int32()),
171 _sequence_optional_component("kvno", 1, UInt32()),
172 _sequence_component("cipher", 2, univ.OctetString())
173 )
175class EncryptionKey(univ.Sequence):
176 componentType = namedtype.NamedTypes(
177 _sequence_component('keytype', 0, Int32()),
178 _sequence_component('keyvalue', 1, univ.OctetString()))
180class Checksum(univ.Sequence):
181 componentType = namedtype.NamedTypes(
182 _sequence_component('cksumtype', 0, Int32()),
183 _sequence_component('checksum', 1, univ.OctetString()))
185class Ticket(univ.Sequence):
186 tagSet = _application_tag(constants.ApplicationTagNumbers.Ticket.value)
187 componentType = namedtype.NamedTypes(
188 _vno_component(name="tkt-vno", tag_value=0),
189 _sequence_component("realm", 1, Realm()),
190 _sequence_component("sname", 2, PrincipalName()),
191 _sequence_component("enc-part", 3, EncryptedData())
192 )
194class TicketFlags(KerberosFlags):
195 pass
197class TransitedEncoding(univ.Sequence):
198 componentType = namedtype.NamedTypes(
199 _sequence_component('tr-type', 0, Int32()),
200 _sequence_component('contents', 1, univ.OctetString()))
202class EncTicketPart(univ.Sequence):
203 tagSet = _application_tag(constants.ApplicationTagNumbers.EncTicketPart.value)
204 componentType = namedtype.NamedTypes(
205 _sequence_component("flags", 0, TicketFlags()),
206 _sequence_component("key", 1, EncryptionKey()),
207 _sequence_component("crealm", 2, Realm()),
208 _sequence_component("cname", 3, PrincipalName()),
209 _sequence_component("transited", 4, TransitedEncoding()),
210 _sequence_component("authtime", 5, KerberosTime()),
211 _sequence_optional_component("starttime", 6, KerberosTime()),
212 _sequence_component("endtime", 7, KerberosTime()),
213 _sequence_optional_component("renew-till", 8, KerberosTime()),
214 _sequence_optional_component("caddr", 9, HostAddresses()),
215 _sequence_optional_component("authorization-data", 10, AuthorizationData())
216 )
218class KDCOptions(KerberosFlags):
219 pass
221class KDC_REQ_BODY(univ.Sequence):
222 componentType = namedtype.NamedTypes(
223 _sequence_component('kdc-options', 0, KDCOptions()),
224 _sequence_optional_component('cname', 1, PrincipalName()),
225 _sequence_component('realm', 2, Realm()),
226 _sequence_optional_component('sname', 3, PrincipalName()),
227 _sequence_optional_component('from', 4, KerberosTime()),
228 _sequence_component('till', 5, KerberosTime()),
229 _sequence_optional_component('rtime', 6, KerberosTime()),
230 _sequence_component('nonce', 7, UInt32()),
231 _sequence_component('etype', 8,
232 univ.SequenceOf(componentType=Int32())),
233 _sequence_optional_component('addresses', 9, HostAddresses()),
234 _sequence_optional_component('enc-authorization-data', 10,
235 EncryptedData()),
236 _sequence_optional_component('additional-tickets', 11,
237 univ.SequenceOf(componentType=Ticket()))
238 )
240class KDC_REQ(univ.Sequence):
241 componentType = namedtype.NamedTypes(
242 _vno_component(1),
243 _msg_type_component(2, (constants.ApplicationTagNumbers.AS_REQ.value,
244 constants.ApplicationTagNumbers.TGS_REQ.value)),
245 _sequence_optional_component('padata', 3,
246 univ.SequenceOf(componentType=PA_DATA())),
247 _sequence_component('req-body', 4, KDC_REQ_BODY())
248 )
250class AS_REQ(KDC_REQ):
251 tagSet = _application_tag(constants.ApplicationTagNumbers.AS_REQ.value)
253class TGS_REQ(KDC_REQ):
254 tagSet = _application_tag(constants.ApplicationTagNumbers.TGS_REQ.value)
256class KDC_REP(univ.Sequence):
257 componentType = namedtype.NamedTypes(
258 _vno_component(0),
259 _msg_type_component(1, (constants.ApplicationTagNumbers.AS_REP.value,
260 constants.ApplicationTagNumbers.TGS_REP.value)),
261 _sequence_optional_component('padata', 2,
262 univ.SequenceOf(componentType=PA_DATA())),
263 _sequence_component('crealm', 3, Realm()),
264 _sequence_component('cname', 4, PrincipalName()),
265 _sequence_component('ticket', 5, Ticket()),
266 _sequence_component('enc-part', 6, EncryptedData())
267 )
269class LastReq(univ.SequenceOf):
270 componentType = univ.Sequence(componentType=namedtype.NamedTypes(
271 _sequence_component('lr-type', 0, Int32()),
272 _sequence_component('lr-value', 1, KerberosTime())
273 ))
275class METHOD_DATA(univ.SequenceOf):
276 componentType = PA_DATA()
278class EncKDCRepPart(univ.Sequence):
279 componentType = namedtype.NamedTypes(
280 _sequence_component('key', 0, EncryptionKey()),
281 _sequence_component('last-req', 1, LastReq()),
282 _sequence_component('nonce', 2, UInt32()),
283 _sequence_optional_component('key-expiration', 3, KerberosTime()),
284 _sequence_component('flags', 4, TicketFlags()),
285 _sequence_component('authtime', 5, KerberosTime()),
286 _sequence_optional_component('starttime', 6, KerberosTime()),
287 _sequence_component('endtime', 7, KerberosTime()),
288 _sequence_optional_component('renew-till', 8, KerberosTime()),
289 _sequence_component('srealm', 9, Realm()),
290 _sequence_component('sname', 10, PrincipalName()),
291 _sequence_optional_component('caddr', 11, HostAddresses()),
292 _sequence_optional_component('encrypted_pa_data', 12, METHOD_DATA())
293 )
295class EncASRepPart(EncKDCRepPart):
296 tagSet = _application_tag(constants.ApplicationTagNumbers.EncASRepPart.value)
298class EncTGSRepPart(EncKDCRepPart):
299 tagSet = _application_tag(constants.ApplicationTagNumbers.EncTGSRepPart.value)
301class AS_REP(KDC_REP):
302 tagSet = _application_tag(constants.ApplicationTagNumbers.AS_REP.value)
304class TGS_REP(KDC_REP):
305 tagSet = _application_tag(constants.ApplicationTagNumbers.TGS_REP.value)
307class APOptions(KerberosFlags):
308 pass
310class Authenticator(univ.Sequence):
311 tagSet = _application_tag(constants.ApplicationTagNumbers.Authenticator.value)
312 componentType = namedtype.NamedTypes(
313 _vno_component(name='authenticator-vno', tag_value=0),
314 _sequence_component('crealm', 1, Realm()),
315 _sequence_component('cname', 2, PrincipalName()),
316 _sequence_optional_component('cksum', 3, Checksum()),
317 _sequence_component('cusec', 4, Microseconds()),
318 _sequence_component('ctime', 5, KerberosTime()),
319 _sequence_optional_component('subkey', 6, EncryptionKey()),
320 _sequence_optional_component('seq-number', 7, UInt32()),
321 _sequence_optional_component('authorization-data', 8,
322 AuthorizationData())
323 )
325class AP_REQ(univ.Sequence):
326 tagSet = _application_tag(constants.ApplicationTagNumbers.AP_REQ.value)
327 componentType = namedtype.NamedTypes(
328 _vno_component(0),
329 _msg_type_component(1, (constants.ApplicationTagNumbers.AP_REQ.value,)),
330 _sequence_component('ap-options', 2, APOptions()),
331 _sequence_component('ticket', 3, Ticket()),
332 _sequence_component('authenticator', 4, EncryptedData())
333 )
335class AP_REP(univ.Sequence):
336 tagSet = _application_tag(constants.ApplicationTagNumbers.AP_REP.value)
337 componentType = namedtype.NamedTypes(
338 _vno_component(0),
339 _msg_type_component(1, (constants.ApplicationTagNumbers.AP_REP.value,)),
340 _sequence_component('enc-part', 2, EncryptedData()),
341 )
343class EncAPRepPart(univ.Sequence):
344 tagSet = _application_tag(constants.ApplicationTagNumbers.EncApRepPart.value)
345 componentType = namedtype.NamedTypes(
346 _sequence_component('ctime', 0, KerberosTime()),
347 _sequence_component('cusec', 1, Microseconds()),
348 _sequence_optional_component('subkey', 2, EncryptionKey()),
349 _sequence_optional_component('seq-number', 3, UInt32()),
350 )
352class KRB_SAFE_BODY(univ.Sequence):
353 componentType = namedtype.NamedTypes(
354 _sequence_component('user-data', 0, univ.OctetString()),
355 _sequence_optional_component('timestamp', 1, KerberosTime()),
356 _sequence_optional_component('usec', 2, Microseconds()),
357 _sequence_optional_component('seq-number', 3, UInt32()),
358 _sequence_component('s-address', 4, HostAddress()),
359 _sequence_optional_component('r-address', 5, HostAddress()),
360 )
362class KRB_SAFE(univ.Sequence):
363 tagSet = _application_tag(constants.ApplicationTagNumbers.KRB_SAFE.value)
364 componentType = namedtype.NamedTypes(
365 _vno_component(0),
366 _msg_type_component(1, (constants.ApplicationTagNumbers.KRB_SAFE.value,)),
367 _sequence_component('safe-body', 2, KRB_SAFE_BODY()),
368 _sequence_component('cksum', 3, Checksum()),
369 )
371class KRB_PRIV(univ.Sequence):
372 tagSet = _application_tag(constants.ApplicationTagNumbers.KRB_PRIV.value)
373 componentType = namedtype.NamedTypes(
374 _vno_component(0),
375 _msg_type_component(1, (constants.ApplicationTagNumbers.KRB_PRIV.value,)),
376 _sequence_component('enc-part', 3, EncryptedData()),
377 )
379class EncKrbPrivPart(univ.Sequence):
380 tagSet = _application_tag(constants.ApplicationTagNumbers.EncKrbPrivPart.value)
381 componentType = namedtype.NamedTypes(
382 _sequence_component('user-data', 0, univ.OctetString()),
383 _sequence_optional_component('timestamp', 1, KerberosTime()),
384 _sequence_optional_component('cusec', 2, Microseconds()),
385 _sequence_optional_component('seq-number', 3, UInt32()),
386 _sequence_component('s-address', 4, HostAddress()),
387 _sequence_optional_component('r-address', 5, HostAddress()),
388 )
390class KRB_CRED(univ.Sequence):
391 tagSet = _application_tag(constants.ApplicationTagNumbers.KRB_CRED.value)
392 componentType = namedtype.NamedTypes(
393 _vno_component(0),
394 _msg_type_component(1, (constants.ApplicationTagNumbers.KRB_CRED.value,)),
395 _sequence_optional_component('tickets', 2,
396 univ.SequenceOf(componentType=Ticket())),
397 _sequence_component('enc-part', 3, EncryptedData()),
398 )
400class KrbCredInfo(univ.Sequence):
401 componentType = namedtype.NamedTypes(
402 _sequence_component('key', 0, EncryptionKey()),
403 _sequence_optional_component('prealm', 1, Realm()),
404 _sequence_optional_component('pname', 2, PrincipalName()),
405 _sequence_optional_component('flags', 3, TicketFlags()),
406 _sequence_optional_component('authtime', 4, KerberosTime()),
407 _sequence_optional_component('starttime', 5, KerberosTime()),
408 _sequence_optional_component('endtime', 6, KerberosTime()),
409 _sequence_optional_component('renew-till', 7, KerberosTime()),
410 _sequence_optional_component('srealm', 8, Realm()),
411 _sequence_optional_component('sname', 9, PrincipalName()),
412 _sequence_optional_component('caddr', 10, HostAddresses()),
413 )
415class EncKrbCredPart(univ.Sequence):
416 tagSet = _application_tag(constants.ApplicationTagNumbers.EncKrbCredPart.value)
417 componentType = namedtype.NamedTypes(
418 _sequence_component('ticket-info', 0, univ.SequenceOf(componentType=KrbCredInfo())),
419 _sequence_optional_component('nonce', 1, UInt32()),
420 _sequence_optional_component('timestamp', 2, KerberosTime()),
421 _sequence_optional_component('usec', 3, Microseconds()),
422 _sequence_optional_component('s-address', 4, HostAddress()),
423 _sequence_optional_component('r-address', 5, HostAddress()),
424 )
426class KRB_ERROR(univ.Sequence):
427 tagSet = _application_tag(constants.ApplicationTagNumbers.KRB_ERROR.value)
428 componentType = namedtype.NamedTypes(
429 _vno_component(0),
430 _msg_type_component(1, (constants.ApplicationTagNumbers.KRB_ERROR.value,)),
431 _sequence_optional_component('ctime', 2, KerberosTime()),
432 _sequence_optional_component('cusec', 3, Microseconds()),
433 _sequence_component('stime', 4, KerberosTime()),
434 _sequence_component('susec', 5, Microseconds()),
435 _sequence_component('error-code', 6, Int32()),
436 _sequence_optional_component('crealm', 7, Realm()),
437 _sequence_optional_component('cname', 8, PrincipalName()),
438 _sequence_component('realm', 9, Realm()),
439 _sequence_component('sname', 10, PrincipalName()),
440 _sequence_optional_component('e-text', 11, KerberosString()),
441 _sequence_optional_component('e-data', 12, univ.OctetString())
442 )
444class TYPED_DATA(univ.SequenceOf):
445 componentType = namedtype.NamedTypes(
446 _sequence_component('data-type', 0, Int32()),
447 _sequence_optional_component('data-value', 1, univ.OctetString()),
448 )
450class PA_ENC_TIMESTAMP(EncryptedData):
451 pass
453class PA_ENC_TS_ENC(univ.Sequence):
454 componentType = namedtype.NamedTypes(
455 _sequence_component('patimestamp', 0, KerberosTime()),
456 _sequence_optional_component('pausec', 1, Microseconds()))
458class ETYPE_INFO_ENTRY(univ.Sequence):
459 componentType = namedtype.NamedTypes(
460 _sequence_component('etype', 0, Int32()),
461 _sequence_optional_component('salt', 1, univ.OctetString()))
463class ETYPE_INFO(univ.SequenceOf):
464 componentType = ETYPE_INFO_ENTRY()
466class ETYPE_INFO2_ENTRY(univ.Sequence):
467 componentType = namedtype.NamedTypes(
468 _sequence_component('etype', 0, Int32()),
469 _sequence_optional_component('salt', 1, KerberosString()),
470 _sequence_optional_component('s2kparams', 2, univ.OctetString()))
472class ETYPE_INFO2(univ.SequenceOf):
473 componentType = ETYPE_INFO2_ENTRY()
475class AD_IF_RELEVANT(AuthorizationData):
476 pass
478class AD_KDCIssued(univ.Sequence):
479 componentType = namedtype.NamedTypes(
480 _sequence_component('ad-checksum', 0, Checksum()),
481 _sequence_optional_component('i-realm', 1, Realm()),
482 _sequence_optional_component('i-sname', 2, PrincipalName()),
483 _sequence_component('elements', 3, AuthorizationData()))
485class AD_AND_OR(univ.Sequence):
486 componentType = namedtype.NamedTypes(
487 _sequence_component('condition-count', 0, Int32()),
488 _sequence_optional_component('elements', 1, AuthorizationData()))
490class AD_MANDATORY_FOR_KDC(AuthorizationData):
491 pass
493class KERB_PA_PAC_REQUEST(univ.Sequence):
494 componentType = namedtype.NamedTypes(
495 namedtype.NamedType('include-pac', univ.Boolean().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
496 )
498class PA_FOR_USER_ENC(univ.Sequence):
499 componentType = namedtype.NamedTypes(
500 _sequence_component('userName', 0, PrincipalName()),
501 _sequence_optional_component('userRealm', 1, Realm()),
502 _sequence_optional_component('cksum', 2, Checksum()),
503 _sequence_optional_component('auth-package', 3, KerberosString()))
505class KERB_ERROR_DATA(univ.Sequence):
506 componentType = namedtype.NamedTypes(
507 _sequence_component('data-type', 1, Int32()),
508 _sequence_component('data-value', 2, univ.OctetString()))
510class PA_PAC_OPTIONS(univ.Sequence):
511 componentType = namedtype.NamedTypes(
512 _sequence_component('flags', 0, KerberosFlags()),
513 )
515class KERB_KEY_LIST_REQ(univ.SequenceOf):
516 componentType = Int32()
518class KERB_KEY_LIST_REP(univ.SequenceOf):
519 componentType = EncryptionKey()