def test_asn1_decode_key_with_context(self): context = heimdal.context() (keyblock, salt, kvno) = heimdal.asn1_decode_key(self.ASN1, context) self.assertEqual(ENCSTR, str(keyblock.keytype())) self.assertEqual(self.VALUE, keyblock.keyvalue()) self.assertEqual(self.SALT, salt.saltvalue()) self.assertEqual(KVNO, kvno)
def krb5_asn1(principal, password, krb5_context=None):
# type: (str, str, Optional[heimdal.context]) -> List[bytes]
"""
Generate Kerberos password hashes.
:param principal: Kerberos principal name.
:param password: password string.
:param krb5_context: optional Kerberos context.
:returns: list of ASN1 encoded Kerberos hashes.
"""
list = []
if isinstance(principal, unicode):
principal = principal.encode('utf-8')
if isinstance(password, unicode):
password = password.encode('utf-8')
if not krb5_context:
krb5_context = heimdal.context()
for krb5_etype in krb5_context.get_permitted_enctypes():
if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
continue
krb5_principal = heimdal.principal(krb5_context, principal)
krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
krb5_salt = heimdal.salt(krb5_context, krb5_principal)
list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
return list
def test_context(self): before = middle = after = 0 before = sys.gettotalrefcount() context = heimdal.context() middle = sys.gettotalrefcount() del context after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def test_keyblock(self): context = heimdal.context() before = middle = after = 0 before = sys.gettotalrefcount() keyblock = heimdal.keyblock_raw(context, ENCINT, TestKeyblock.VALUE) middle = sys.gettotalrefcount() del keyblock after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def test_principal(self): context = heimdal.context() before = middle = after = 0 before = sys.gettotalrefcount() principal = heimdal.principal(context, USER) middle = sys.gettotalrefcount() del principal after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def test_enctype(self): context = heimdal.context() before = middle = after = 0 before = sys.gettotalrefcount() enctype = heimdal.enctype(context, ENCSTR) middle = sys.gettotalrefcount() del enctype after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def test_keytab(self): context = heimdal.context() before = middle = after = 0 with NamedTemporaryFile() as tmpfile: before = sys.gettotalrefcount() keytab = heimdal.keytab(context, tmpfile.name) middle = sys.gettotalrefcount() del keytab after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def test_creds(self): context = heimdal.context() principal = heimdal.principal(context, USER) tkt_service = "" before = middle = after = 0 before = sys.gettotalrefcount() creds = heimdal.creds(context, principal, PASSWORD, tkt_service) middle = sys.gettotalrefcount() del creds after = sys.gettotalrefcount() self.assertGreater(middle, before) self.assertLess(after, middle) self.assertEqual(before, after)
def krb5_asn1(principal, password, krb5_context=None):
list = []
if isinstance(principal, types.UnicodeType):
principal = str(principal)
if isinstance(password, types.UnicodeType):
password = str(password)
if not krb5_context:
krb5_context = heimdal.context()
for krb5_etype in krb5_context.get_permitted_enctypes():
if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
continue
krb5_principal = heimdal.principal(krb5_context, principal)
krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
krb5_salt = heimdal.salt(krb5_context, krb5_principal)
list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
return list
def krb5_asn1(principal, password, krb5_context=None):
list=[]
if type(principal) == types.UnicodeType:
principal = str( principal )
if type(password) == types.UnicodeType:
password = str( password )
if not krb5_context:
krb5_context = heimdal.context()
for krb5_etype in krb5_context.get_permitted_enctypes():
if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
continue
krb5_principal = heimdal.principal(krb5_context, principal)
krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
krb5_salt = heimdal.salt(krb5_context, krb5_principal)
list.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
return list
def setUp(self): context = heimdal.context() principal = heimdal.principal(context, USER) tkt_service = "" self.creds = heimdal.creds(self.context, principal, PASSWORD, tkt_service)
def calculate_krb5keys(supplementalCredentialsblob): spl = supplementalCredentialsblob #cleartext_hex = None keys = [] keytypes = [] kvno = 0 context = heimdal.context() # for i in range(0, spl.sub.num_packages): # pkg = spl.sub.packages[i] # if pkg.name != "Primary:CLEARTEXT": # continue # cleartext_hex = pkg.data krb5_old_hex = None for i in range(0, spl.sub.num_packages): pkg = spl.sub.packages[i] if pkg.name != "Primary:Kerberos": continue krb5_old_hex = pkg.data if krb5_old_hex is not None: krb5_old_raw = binascii.a2b_hex(krb5_old_hex) krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True) assert krb5_old.version == 3 for k in krb5_old.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb5_old.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except Exception: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name)) else: ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name)) ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc()) krb5_new_hex = None for i in range(0, spl.sub.num_packages): pkg = spl.sub.packages[i] if pkg.name != "Primary:Kerberos-Newer-Keys": continue krb5_new_hex = pkg.data if krb5_new_hex is not None: krb_blob = binascii.unhexlify(krb5_new_hex) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except Exception: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name)) else: ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name)) ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc()) return keys
def __init__(self): self.ctx = heimdal.context() self.etypes = self.ctx.get_permitted_enctypes() self.etype_ids = [et.toint() for et in self.etypes]
def test_asn1_encode_key_invalid_salt(self): context = heimdal.context() keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE) with self.assertRaises(TypeError): heimdal.asn1_encode_key(keyblock, 0, KVNO)
def test_asn1_encode_key_without_salt(self): context = heimdal.context() keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE) asn1 = heimdal.asn1_encode_key(keyblock, None, KVNO) self.assertIsNotNone(asn1)
def test_asn1_encode_key(self): context = heimdal.context() keyblock = heimdal.keyblock_raw(context, ENCINT, self.VALUE) salt = heimdal.salt_raw(context, self.SALT) asn1 = heimdal.asn1_encode_key(keyblock, salt, KVNO) self.assertEqual(self.ASN1, asn1)
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0): up_blob = unicodePwd sc_blob = supplementalCredentials keys = [] keytypes = [] context = heimdal.context() if up_blob: # ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob)) assert len(up_blob) == 16 key = heimdal.keyblock_raw(context, 23, up_blob) keys.append(heimdal.asn1_encode_key(key, None, kvno)) if sc_blob: # ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob)) try: sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob) for p in sc.sub.packages: krb = None ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name) if p.name == "Primary:Kerberos": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 3 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: # the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: # unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) elif p.name == "Primary:Kerberos-Newer-Keys": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: # the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: # unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) except Exception: import sys exc = sys.exc_info()[1] if isinstance(exc.args, type(())) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error': ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % (exc, binascii.b2a_base64(sc_blob))) ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") return keys
def setUp(self): self.context = heimdal.context() self.principal = heimdal.principal(self.context, USER) self.ccache = heimdal.ccache(self.context)
def setUp(self): self.context = heimdal.context() self.enctype = heimdal.enctype(self.context, ENCSTR) self.principal = heimdal.principal(self.context, USER)
def setUp(self): context = heimdal.context() self.enctype = heimdal.enctype(context, ENCSTR)
def setUp(self): self.context = heimdal.context()
def setUp(self): context = heimdal.context() self.principal = heimdal.principal(context, USER)
def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0): up_blob = unicodePwd sc_blob = supplementalCredentials keys = [] keytypes = [] context = heimdal.context() if up_blob: #ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: up_blob: %s" % binascii.b2a_base64(up_blob)) assert len(up_blob) == 16 key = heimdal.keyblock_raw(context, 23, up_blob) keys.append(heimdal.asn1_encode_key(key, None, kvno)) if sc_blob: #ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: sc_blob: %s" % binascii.b2a_base64(sc_blob)) try: sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob) for p in sc.sub.packages: krb = None ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: parsing %s blob" % p.name) if p.name == "Primary:Kerberos": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 3 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: ## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: ## the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: ## unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) elif p.name == "Primary:Kerberos-Newer-Keys": krb_blob = binascii.unhexlify(p.data) krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob) assert krb.version == 4 for k in krb.ctr.keys: if k.keytype not in keytypes: ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype) try: key = heimdal.keyblock_raw(context, k.keytype, k.value) krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string) keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno)) keytypes.append(k.keytype) except: if k.keytype == 4294967156: ## in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this if k.value == up_blob: ## the known case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring arc4 NThash with special keytype %s in %s" % (k.keytype, p.name)) else: ## unknown special case ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, p.name)) else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, p.name)) except Exception: import sys exc = sys.exc_info()[1] if type(exc.args) == type(()) and len(exc.args) == 2 and exc.args[1] == 'Buffer Size Error': ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: '%s' while unpacking supplementalCredentials:: %s" % ( exc, binascii.b2a_base64(sc_blob) ) ) ud.debug(ud.LDAP, ud.WARN, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") else: traceback.print_exc() ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: the krb5Keys from the PrimaryKerberosBlob could not be parsed. Continuing anyway.") return keys