Documentation
¶
Index ¶
- Variables
- func ASExchange(ctx context.Context, asReq messages.ASReq, domain string, ...) (asRep messages.ASRep, err error)
- func Authenticate(ctx context.Context, user string, domain string, cert *x509.Certificate, ...) (*credentials.CCache, error)
- func ConfigureASReq(asReq *messages.ASReq, cert *x509.Certificate, key *rsa.PrivateKey, ...) error
- func Decrypt(asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte) (pkinitKey types.EncryptionKey, err error)
- func DiffieHellmanPublicKey(privateKey *big.Int) *big.Int
- func DiffieHellmanSharedSecret(privateKey *big.Int, publicKey *big.Int) *big.Int
- func ExtractNegotiatedKey(asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte) (ekey types.EncryptionKey, err error)
- func NewASReq(username string, domain string, cert *x509.Certificate, key *rsa.PrivateKey, ...) (asReq messages.ASReq, dhClientNonce []byte, err error)
- func NewDiffieHellmanNonce() []byte
- func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte, error)
- func TGSExchange(ctx context.Context, tgsReq messages.TGSReq, config *config.Config, ...) (tgsRep messages.TGSRep, err error)
- type AlgorithmIdentifier
- type Attribute
- type AuthPack
- type AuthoirzationData
- type AuthoirzationDataElement
- type ContentInfo
- type ContextDialer
- type DHRepInfo
- type DomainParameters
- type Hash
- func NewHash(ntlmSupplementalCredential *pac.NTLMSupplementalCredential) (*Hash, error)
- func UnPACTheHash(ctx context.Context, user string, domain string, cert *x509.Certificate, ...) (*credentials.CCache, *Hash, error)
- func UnPACTheHashFromPFX(ctx context.Context, username string, domain string, pfxFile string, ...) (*credentials.CCache, *Hash, error)
- func UnPACTheHashFromPFXData(ctx context.Context, username string, domain string, pfxData []byte, ...) (*credentials.CCache, *Hash, error)
- type IssuerAndSerial
- type KDCDHKeyInfo
- type Option
- type PAPACRequest
- type PAPKASRep
- type PKAuthenticator
- type RawCertificates
- type SignedData
- type SignerInfo
- type SubjectPublicKeyInfo
Constants ¶
This section is empty.
Variables ¶
var ( // DiffieHellmanPrime is the Diffie Hellman prime (P) that is acccepted by PKINIT. DiffieHellmanPrime = big.NewInt(0) // DiffieHellmanPrime is the Diffie Hellman base (G) that is acccepted by PKINIT. DiffieHellmanBase = big.NewInt(2) )
var DefaultKerberosRoundtripDeadline = 5 * time.Second
DefaultKerberosRoundtripDeadline is the maximum time a roundtrip with the KDC can take before it is aborted. This deadline is for each KDC that is considered.
Functions ¶
func ASExchange ¶
func ASExchange( ctx context.Context, asReq messages.ASReq, domain string, config *config.Config, dialer ContextDialer, roundtripDeadline time.Duration, ) (asRep messages.ASRep, err error)
ASExchange sends a ASReq to the KDC for the provided domain and returns the ASRep.
func Authenticate ¶
func Authenticate( ctx context.Context, user string, domain string, cert *x509.Certificate, key *rsa.PrivateKey, krbConfig *config.Config, opts ...Option, ) (*credentials.CCache, error)
Authenticate obtains a ticket granting ticket using PKINIT and returns it in a CCache which can be serialized using ccachetools.MarshalCCache.
func ConfigureASReq ¶
func ConfigureASReq( asReq *messages.ASReq, cert *x509.Certificate, key *rsa.PrivateKey, dhKey *big.Int, dhClientNonce []byte, ) error
ConfigureASReq configures an ASReq for PKINIT.
func Decrypt ¶
func Decrypt(asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte) (pkinitKey types.EncryptionKey, err error)
Decrypt decrypts the encrypted parts of an ASRep with the key derived during PKINIT.
func DiffieHellmanPublicKey ¶
DiffieHellmanPublicKey derives the Diffie Hellman public key from the provided private key with the parameters that are accepted by PKINIT.
func DiffieHellmanSharedSecret ¶
DiffieHellmanSharedSecret derives the Diffie Hellman shared secret with the parameters that are accepted by PKINIT.
func ExtractNegotiatedKey ¶
func ExtractNegotiatedKey( asRep *messages.ASRep, dhKey *big.Int, dhClientNonce []byte, ) (ekey types.EncryptionKey, err error)
ExtractNegotiatedKey extracts the key derived during PKINIT.
func NewASReq ¶
func NewASReq( username string, domain string, cert *x509.Certificate, key *rsa.PrivateKey, dhKey *big.Int, config *config.Config, ) (asReq messages.ASReq, dhClientNonce []byte, err error)
NewASReq generates an ASReq configured for PKINIT.
func NewDiffieHellmanNonce ¶
func NewDiffieHellmanNonce() []byte
NewDiffieHellmanNonce generates a nonce for the Diffie Hellman key exchange.
func PKCS7Sign ¶
func PKCS7Sign(data []byte, key *rsa.PrivateKey, cert *x509.Certificate) ([]byte, error)
PKCS7Sign signs the data according to PKCS#7.
Types ¶
type AlgorithmIdentifier ¶
type AlgorithmIdentifier struct {
Algorithm asn1.ObjectIdentifier `asn1:"implicit"`
Parameters DomainParameters `asn1:"implicit,optional"`
}
type Attribute ¶
type Attribute struct {
Type asn1.ObjectIdentifier
Value asn1.RawValue `asn1:"set"`
}
type AuthPack ¶
type AuthPack struct {
// AuthPack ::= SEQUENCE {
// pkAuthenticator [0] PKAuthenticator,
// clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
// supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
// clientDHNonce [3] DHNonce OPTIONAL,
// ...,
// supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
// ...
// }
PKAuthenticator PKAuthenticator `asn1:"tag:0,explicit"`
ClientPublicValue SubjectPublicKeyInfo `asn1:"tag:1,explicit,optional"`
SupportedCMSTypes []pkix.AlgorithmIdentifier `asn1:"tag:2,explicit,optional"`
ClientDHNonce []byte `asn1:"tag:3,explicit,optional"`
}
type AuthoirzationData ¶
type AuthoirzationData []AuthoirzationDataElement
type ContentInfo ¶
type ContentInfo struct {
ContentType asn1.ObjectIdentifier
Content asn1.RawValue `asn1:"explicit,optional,tag:0"`
}
type ContextDialer ¶
type ContextDialer interface {
DialContext(ctx context.Context, net string, addr string) (net.Conn, error)
}
ContextDialer is a context aware dialer such as net.Dialer or the SOCKS5 dialer returned by proxy.SOCKS5.
type DomainParameters ¶
type Hash ¶
type Hash struct {
// contains filtered or unexported fields
}
Hash represents LM and NT password hashes.
func NewHash ¶
func NewHash(ntlmSupplementalCredential *pac.NTLMSupplementalCredential) (*Hash, error)
func UnPACTheHash ¶
func UnPACTheHash( ctx context.Context, user string, domain string, cert *x509.Certificate, key *rsa.PrivateKey, krbConfig *config.Config, opts ...Option, ) (*credentials.CCache, *Hash, error)
UnPACTheHash retrieves the user's NT hash via PKINIT using the provided certificates.
func UnPACTheHashFromPFX ¶
func UnPACTheHashFromPFX( ctx context.Context, username string, domain string, pfxFile string, pfxPassword string, dc string, opts ...Option, ) (*credentials.CCache, *Hash, error)
UnPACTheHash retrieves the user's NT hash via PKINIT using the provided PFX file. The DC argument is optional.
func UnPACTheHashFromPFXData ¶
func UnPACTheHashFromPFXData( ctx context.Context, username string, domain string, pfxData []byte, pfxPassword string, dc string, opts ...Option, ) (*credentials.CCache, *Hash, error)
UnPACTheHash retrieves the user's NT hash via PKINIT using the provided PFX data. The DC argument is optional.
func (*Hash) Combined ¶
Combined returns the hex-encoded hashes in LM:NT format. If any of these hashes is not present, they are replaced by their respective empty hash value.
func (*Hash) LMBytes ¶
LMBytes returns the binary LM hash or an empty slice if no LM hash is present.
type IssuerAndSerial ¶
type KDCDHKeyInfo ¶
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
Option can be passed to a function to modify the default behavior.
func WithDialer ¶
func WithDialer(dialer ContextDialer) Option
WithDialer can be used to set a custom dialer for communication with a DC.
func WithRoundtripDeadline ¶
WithRoundtripDeadline can be used to set a deadline for a single request-response roundtrip with a single KDC.
type PAPACRequest ¶
type PAPACRequest struct {
IncludePAC bool `asn1:"explicit,tag:0"`
}
func (*PAPACRequest) AsPAData ¶
func (p *PAPACRequest) AsPAData() types.PAData
type PKAuthenticator ¶
type PKAuthenticator struct {
// PKAuthenticator ::= SEQUENCE {
// cusec [0] INTEGER -- (0..999999) --,
// ctime [1] KerberosTime,
// nonce [2] INTEGER (0..4294967295),
// paChecksum [3] OCTET STRING OPTIONAL,
// ...
// asn1
CUSec int `asn1:"tag:0,explicit"`
CTime time.Time `asn1:"tag:1,explicit,generalized"`
Nonce int `asn1:"tag:2,explicit"`
Checksum []byte `asn1:"tag:3,explicit,optional"`
}
type RawCertificates ¶
type RawCertificates struct {
Raw asn1.RawContent
}
func RawCertificate ¶
func RawCertificate(cert *x509.Certificate) (RawCertificates, error)
type SignedData ¶
type SignedData struct {
Version int `asn1:"default:1"`
DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
ContentInfo ContentInfo
Certificates RawCertificates `asn1:"optional,tag:0"`
CRLs []x509.RevocationList `asn1:"optional,tag:1"`
SignerInfos []SignerInfo `asn1:"set"`
}
type SignerInfo ¶
type SignerInfo struct {
Version int `asn1:"default:1"`
IssuerAndSerialNumber IssuerAndSerial
DigestAlgorithm pkix.AlgorithmIdentifier
AuthenticatedAttributes []Attribute `asn1:"optional,omitempty,tag:0"`
DigestEncryptionAlgorithm pkix.AlgorithmIdentifier
EncryptedDigest []byte
UnauthenticatedAttributes []pkix.AttributeTypeAndValue `asn1:"optional,omitempty,tag:1"`
}
type SubjectPublicKeyInfo ¶
type SubjectPublicKeyInfo struct {
// SubjectPublicKeyInfo ::= SEQUENCE {
// algorithm AlgorithmIdentifier{PUBLIC-KEY,
// {PublicKeyAlgorithms}},
// subjectPublicKey BIT STRING }
Algorithm AlgorithmIdentifier
PublicKey asn1.BitString
}
Source Files