class ETypeInfoEntry(_K5Sequence):
componentType = NamedTypes(_mfield('etype', 0, Integer()),
_ofield('salt', 1, OctetString()))
class HostAddress(Sequence):
componentType = NamedTypes(
NamedType('addr-type', _c(0, Integer())),
NamedType('address', _c(1, OctetString())))
class EncryptedData(Sequence):
componentType = NamedTypes(
NamedType('etype', _c(0, Integer())),
OptionalNamedType('kvno', _c(1, Integer())),
NamedType('cipher', _c(2, OctetString())))
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with ldap3 in the COPYING and COPYING.LESSER files.
# If not, see <http://www.gnu.org/licenses/>.
from pyasn1.type.univ import OctetString, Integer, Sequence
from pyasn1.type.namedtype import NamedTypes, NamedType
from pyasn1.type.constraint import ValueRangeConstraint
from .controls import build_control
# constants
# maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
MAXINT = Integer(2147483647)
# constraints
rangeInt0ToMaxConstraint = ValueRangeConstraint(0, MAXINT)
class Integer0ToMax(Integer):
subtypeSpec = Integer.subtypeSpec + rangeInt0ToMaxConstraint
class Size(Integer0ToMax):
# Size INTEGER (0..maxInt)
pass
class Cookie(OctetString):
class KdcReq(Sequence):
componentType = NamedTypes(
NamedType('pvno', _c(1, Integer())),
NamedType('msg-type', _c(2, Integer())),
NamedType('padata', _c(3, SequenceOf(componentType=PAData()))),
NamedType('req-body', _c(4, KdcReqBody())))
class DHParameter(Sequence):
componentType = NamedTypes(
NamedType('prime', Integer()),
NamedType('base', Integer()))
class SdFlags(Sequence):
# SDFlagsRequestValue ::= SEQUENCE {
# Flags INTEGER
# }
componentType = NamedTypes(NamedType('Flags', Integer()))
def pkcs7_signed_msg(self, msg: bytes):
"""PKCS#7 signed with certificate
Sign and encapsulate message
"""
signed = self.sign(msg)
owner_cert_pub = der_decoder.decode(self.pub_data)[0]
# signedData (PKCS #7)
oi_pkcs7_signed = ObjectIdentifier((1, 2, 840, 113549, 1, 7, 2))
oi_pkcs7_data = ObjectIdentifier((1, 2, 840, 113549, 1, 7, 1))
oi_sha256 = ObjectIdentifier((2, 16, 840, 1, 101, 3, 4, 2, 1))
oi_pkcs7_rsa_enc = ObjectIdentifier((1, 2, 840, 113549, 1, 1, 1))
der = Sequence().setComponentByPosition(0, oi_pkcs7_signed)
data = Sequence()
data = data.setComponentByPosition(0, Integer(1))
data = data.setComponentByPosition(
1,
Set().setComponentByPosition(
0,
Sequence().setComponentByPosition(
0, oi_sha256).setComponentByPosition(1, Null(''))))
data = data.setComponentByPosition(
2,
Sequence().setComponentByPosition(
0, oi_pkcs7_data).setComponentByPosition(
1,
Sequence().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple,
0)).setComponentByPosition(
0, OctetString(hexValue=msg.hex()))))
data = data.setComponentByPosition(
3,
Sequence().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
0)).setComponentByPosition(
0, owner_cert_pub))
data4001 = Sequence().setComponentByPosition(0, owner_cert_pub[0][3])
data4001 = data4001.setComponentByPosition(1, owner_cert_pub[0][1])
data4002 = Sequence().setComponentByPosition(
0, oi_sha256).setComponentByPosition(1, Null(''))
data4003 = Sequence().setComponentByPosition(
0, oi_pkcs7_rsa_enc).setComponentByPosition(1, Null(''))
data4004 = OctetString(hexValue=signed.hex())
data = data.setComponentByPosition(
4,
Set().setComponentByPosition(
0,
Sequence().setComponentByPosition(
0, Integer(1)).setComponentByPosition(
1, data4001).setComponentByPosition(
2, data4002).setComponentByPosition(
3,
data4003).setComponentByPosition(4, data4004)))
der = der.setComponentByPosition(
1,
Sequence().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
0)).setComponentByPosition(0, data))
return der_encoder.encode(der)
class AlgorithmIdentifierData(Sequence):
componentType = NamedTypes(NamedType('salt', OctetString()),
NamedType('iteration', Integer()))
class KrbPriv(Sequence):
tagSet = application(21)
componentType = NamedTypes(NamedType('pvno', _c(0, Integer())),
NamedType('msg-type', _c(1, Integer())),
NamedType('enc-part', _c(3, EncryptedData())))
class APRep(Sequence):
tagSet = application(15)
componentType = NamedTypes(NamedType('pvno', _c(0, Integer())),
NamedType('msg-type', _c(1, Integer())),
NamedType('enc-part', _c(2, EncryptedData())))
async def async_turn_off(self, **kwargs):
"""Turn off the switch."""
if self._command_payload_on.isdigit():
await self._set(Integer(self._command_payload_off))
else:
await self._set(self._command_payload_off)
class SdFlags(Sequence):
componentType = NamedTypes(NamedType('Flags', Integer()))
class ETypeInfo2Entry(_K5Sequence):
componentType = NamedTypes(_mfield('etype', 0, Integer()),
_ofield('salt', 1, GeneralString()),
_ofield('a2kparams', 2, OctetString()))
class TSRequest(Sequence):
"""
[MS-CSSP] 2.2.1 TSRequest
https://msdn.microsoft.com/en-us/library/cc226780.aspx
Top-most structure used by the client and server and contains various
different types of data depending on the stage of the CredSSP protocol it
is at.
TSRequest ::= SEQUENCE {
version [0] INTEGER,
negoTokens [1] NegoData OPTIONAL,
authInfo [2] OCTET STRING OPTIONAL,
pubKeyAuth [3] OCTET STRING OPTIONAL,
errorCode [4] INTEGER OPTIONAL,
clientNonce [5] OCTER STRING OPTIONAL,
}
Fields:
version: Specifies the support version of the CredSSP Protocol. Valid
values for this field are 2 and 3
negoTokens: A NegoData structure that contains the SPEGNO tokens or
Kerberos/NTLM messages.
authInfo: A TSCredentials structure that contains the user's
credentials that are delegated to the server
pubKeyAuth: Contains the server's public key info to stop man in the
middle attacks
errorCode: When version is 3, the server can send the NTSTATUS failure
codes (Only Server 2012 R2 and newer)
clientNonce: A 32-byte array of cryptographically random bytes, only
used in version 5 or higher of this protocol
"""
CLIENT_VERSION = 6
componentType = NamedTypes(
NamedType(
'version', Integer().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 0)
)
),
OptionalNamedType(
'negoTokens', NegoData().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 1)
)
),
OptionalNamedType(
'authInfo', OctetString().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 2)
)
),
OptionalNamedType(
'pubKeyAuth', OctetString().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 3)
)
),
OptionalNamedType(
'errorCode', Integer().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 4)
)
),
OptionalNamedType(
'clientNonce', OctetString().subtype(
explicitTag=Tag(tagClassContext, tagFormatConstructed, 5)
)
)
)
def __init__(self, **kwargs):
super(TSRequest, self).__init__(**kwargs)
self['version'] = self.CLIENT_VERSION
def check_error_code(self):
"""
For CredSSP version of 3 or newer, the server can response with an
NtStatus error code with details of what error occurred. This method
will check if the error code exists and throws an NTStatusException
if it is no STATUS_SUCCESS.
"""
# start off with STATUS_SUCCESS as a baseline
status = NtStatusCodes.STATUS_SUCCESS
error_code = self['errorCode']
if error_code.isValue:
# ASN.1 Integer is stored as an signed integer, we need to
# convert it to a unsigned integer
status = ctypes.c_uint32(error_code).value
if status != NtStatusCodes.STATUS_SUCCESS:
raise NTStatusException(status)
class DERSignature(Sequence):
componentType = NamedTypes(
NamedType("r", Integer()),
NamedType("s", Integer()),
)
async def async_turn_off(self, **kwargs):
"""Turn off the switch."""
from pyasn1.type.univ import (Integer)
await self._set(Integer(self._command_payload_off))
class EncryptionKey(Sequence):
componentType = NamedTypes(NamedType('keytype', _c(0, Integer())),
NamedType('keyvalue', _c(1, OctetString())))
def extended_dn_control(criticality=False, hex_format=False):
control_value = ExtendedDN()
control_value.setComponentByName('option', Integer(not hex_format))
return build_control('1.2.840.113556.1.4.529', criticality, control_value)
class CheckSum(Sequence):
componentType = NamedTypes(NamedType('cksumtype', _c(0, Integer())),
NamedType('checksum', _c(1, OctetString())))
class ExtendedDN(Sequence):
# A flag value 0 specifies that the GUID and SID values be returned in hexadecimal string
# A flag value of 1 will return the GUID and SID values in standard string format
componentType = NamedTypes(NamedType('option', Integer()))
class Ticket(Sequence):
tagSet = application(1)
componentType = NamedTypes(NamedType('tkt-vno', _c(0, Integer())),
NamedType('realm', _c(1, Realm())),
NamedType('sname', _c(2, PrincipalName())),
NamedType('enc-part', _c(3, EncryptedData())))
# -- this ASN.1 module is part of RFC 4511; see the RFC itself
# -- for full legal notices.
# DEFINITIONS
# IMPLICIT TAGS
# EXTENSIBILITY IMPLIED
from pyasn1.type.univ import OctetString, Integer, Sequence, Choice, SequenceOf, Boolean, Null, Enumerated, SetOf
from pyasn1.type.namedtype import NamedTypes, NamedType, OptionalNamedType, DefaultedNamedType
from pyasn1.type.constraint import ValueRangeConstraint, SingleValueConstraint, ValueSizeConstraint
from pyasn1.type.namedval import NamedValues
from pyasn1.type.tag import tagClassApplication, tagFormatConstructed, Tag, tagClassContext, tagFormatSimple
# constants
# maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
LDAP_MAX_INT = 2147483647
MAXINT = Integer(LDAP_MAX_INT)
# constraints
rangeInt0ToMaxConstraint = ValueRangeConstraint(0, MAXINT)
rangeInt1To127Constraint = ValueRangeConstraint(1, 127)
size1ToMaxConstraint = ValueSizeConstraint(1, MAXINT)
responseValueConstraint = SingleValueConstraint(
0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 32,
33, 34, 36, 48, 49, 50, 51, 52, 53, 54, 64, 65, 66, 67, 68, 69, 71, 80,
113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 4096)
# custom constraints
numericOIDConstraint = None # TODO
distinguishedNameConstraint = None # TODO
nameComponentConstraint = None # TODO
attributeDescriptionConstraint = None # TODO
class LastReq(SequenceOf):
componentType = Sequence(
componentType=NamedTypes(NamedType('lr-type', _c(0, Integer())),
NamedType('lr-value', _c(1, KerberosTime()))))
class PrincipalName(Sequence):
componentType = NamedTypes(
NamedType('name-type', _c(0, Integer())),
NamedType('name-string', _c(1, SequenceOf(componentType=KerberosString()))))
class TransitedEncoding(Sequence):
componentType = NamedTypes(NamedType('tr-type', _c(0, Integer())),
NamedType('contents', _c(1, OctetString())))
class PAData(Sequence):
componentType = NamedTypes(
NamedType('padata-type', _c(1, Integer())),
NamedType('padata-value', _c(2, OctetString())))
class AuthorizationData(SequenceOf):
componentType = Sequence(
componentType=NamedTypes(NamedType('ad-type', _c(0, Integer())),
NamedType('ad-data', _c(1, OctetString()))))
def turn_off(self):
"""Turn off the switch."""
from pyasn1.type.univ import (Integer)
self._set(Integer(self._payload_off))
class PAEncTSEnc(_K5Sequence):
componentType = NamedTypes(_mfield('patimestamp', 0, GeneralizedTime()),
_ofield('pausec', 1, Integer()))
