def test_unpack_krb_ap_rep(): data = get_data('initial_context_token_krb_ap_rep') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.InitialContextToken) assert actual.this_mech == GSSMech.kerberos.value actual = actual.token assert isinstance(actual, kerb.KrbApRep) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.ap_rep assert isinstance(actual.enc_part.cipher, bytes) assert actual.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.enc_part.kvno is None # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert actual['pvno'] == 5 assert actual['msg-type'] == 'AP-REP (15)' assert actual['enc-part']['etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['enc-part']['kvno'] is None assert isinstance(actual['enc-part']['cipher'], text_type)
def test_unpack_ntlm(): data = get_data('ntlm_challenge') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, Challenge) assert actual.MESSAGE_TYPE == MessageType.challenge
def test_unpack_krb_ap_rep(): data = get_data('initial_context_token_krb_ap_rep') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.InitialContextToken) assert actual.this_mech == GSSMech.kerberos.value assert isinstance(actual.token, KrbApRep)
def test_unpack_neg_token_resp(): data = get_data('neg_token_resp') actual = sp.unpack_token(data) assert isinstance(actual, sp.NegTokenResp) assert actual.mech_list_mic is None assert actual.neg_state == sp.NegState.accept_complete assert isinstance(actual.response_token, bytes) assert actual.supported_mech == GSSMech.kerberos.value actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.NegTokenResp)
def test_unpack_krb_tgs_rep(): data = get_data('krb_tgs_rep') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, kerb.KrbTgsRep) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.tgs_rep assert actual.cname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.principal, [b'vagrant-domain']) assert actual.crealm == b'DOMAIN.LOCAL' assert isinstance(actual.enc_part.cipher, bytes) assert actual.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.enc_part.kvno is None assert actual.padata is None assert isinstance(actual.ticket.enc_part.cipher, bytes) assert actual.ticket.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.ticket.enc_part.kvno == 6 assert actual.ticket.realm == b'DOMAIN.LOCAL' assert actual.ticket.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_hst, [b'HTTP', b'server2019.domain.local']) assert actual.ticket.tkt_vno == 5 # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert actual['pvno'] == 5 assert actual['msg-type'] == 'TGS-REP (13)' assert actual['padata'] is None assert actual['crealm'] == 'DOMAIN.LOCAL' assert actual['cname']['name-type'] == 'NT-PRINCIPAL (1)' assert actual['cname']['name-string'] == ['vagrant-domain'] assert actual['ticket']['tkt-vno'] == 5 assert actual['ticket']['realm'] == 'DOMAIN.LOCAL' assert actual['ticket']['sname']['name-type'] == 'NT-SRV-HST (3)' assert actual['ticket']['sname']['name-string'] == [ 'HTTP', 'server2019.domain.local' ] assert actual['ticket']['enc-part'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['ticket']['enc-part']['kvno'] == 6 assert isinstance(actual['ticket']['enc-part']['cipher'], text_type) assert actual['enc-part']['etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['enc-part']['kvno'] is None assert isinstance(actual['enc-part']['cipher'], text_type)
def test_pack_neg_token_init2(): token = sp.NegTokenInit( [GSSMech.kerberos.value, GSSMech.ntlm.value], sp.ContextFlags.anon, mech_token=b"\x00\x00\x00\x00", hint_name=b"spn", hint_address=b"not_defined_in_RFC4178@please_ignore", mech_list_mic=b"\x01\x01\x01\x01") actual = token.pack() assert actual == b"\x60\x70\x06\x06\x2B\x06\x01\x05\x05\x02\xA0\x66\x30\x64\xA0\x19" \ b"\x30\x17\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x06\x0A\x2B" \ b"\x06\x01\x04\x01\x82\x37\x02\x02\x0A\xA1\x04\x03\x02\x00\x04\xA2" \ b"\x06\x04\x04\x00\x00\x00\x00\xA3\x31\x30\x2F\xA0\x05\x1B\x03\x73" \ b"\x70\x6E\xA1\x26\x04\x24\x6E\x6F\x74\x5F\x64\x65\x66\x69\x6E\x65" \ b"\x64\x5F\x69\x6E\x5F\x52\x46\x43\x34\x31\x37\x38\x40\x70\x6C\x65" \ b"\x61\x73\x65\x5F\x69\x67\x6E\x6F\x72\x65\xA4\x06\x04\x04\x01\x01" \ b"\x01\x01" token = sp.unpack_token(actual) assert token.mech_types == [ '1.2.840.113554.1.2.2', '1.3.6.1.4.1.311.2.2.10' ] assert token.req_flags == sp.ContextFlags.deleg assert token.mech_token == b"\x00\x00\x00\x00" assert token.hint_name == b"spn" assert token.hint_address == b"not_defined_in_RFC4178@please_ignore" assert token.mech_list_mic == b"\x01\x01\x01\x01"
def test_unpack_initial_context_token_unknown_mech(): data = pack_asn1( TagClass.application, True, 0, pack_asn1_object_identifier('1.2.3.4.5') + b"\x00\x00\x00\x00") token = sp.unpack_token(data) assert token == data
def test_unpack_krb_ap_req(): data = get_data('initial_context_token_krb_ap_req') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.InitialContextToken) assert actual.this_mech == GSSMech.kerberos.value actual = actual.token assert isinstance(actual, kerb.KrbApReq) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.ap_req assert actual.ap_options == kerb.KerberosAPOptions.mutual_required assert isinstance(actual.authenticator.cipher, bytes) assert actual.authenticator.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.authenticator.kvno is None assert isinstance(actual.ticket.enc_part.cipher, bytes) assert actual.ticket.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.ticket.enc_part.kvno == 6 assert actual.ticket.realm == b'DOMAIN.LOCAL' assert actual.ticket.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_hst, [b'host', b'dc01']) assert actual.ticket.tkt_vno == 5 # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert actual['pvno'] == 5 assert actual['msg-type'] == 'AP-REQ (14)' assert actual['ap-options']['raw'] == 32 assert actual['ap-options']['flags'] == ['mutual-required (32)'] assert actual['ticket']['tkt-vno'] == 5 assert actual['ticket']['realm'] == 'DOMAIN.LOCAL' assert actual['ticket']['sname']['name-type'] == 'NT-SRV-HST (3)' assert actual['ticket']['sname']['name-string'] == ['host', 'dc01'] assert actual['ticket']['enc-part'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['ticket']['enc-part']['kvno'] == 6 assert isinstance(actual['ticket']['enc-part']['cipher'], text_type) assert actual['authenticator']['etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['authenticator']['kvno'] is None assert isinstance(actual['authenticator']['cipher'], text_type)
def test_unpack_krb_error(): data = get_data('krb_error') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, kerb.KrbError) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.error assert actual.cname is None assert actual.crealm is None assert actual.ctime is None assert actual.cusec is None assert isinstance(actual.e_data, bytes) assert actual.e_text is None assert actual.error_code == kerb.KerberosErrorCode.preauth_required assert actual.realm == b'DOMAIN.LOCAL' assert actual.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_inst, [b'krbtgt', b'DOMAIN.LOCAL']) assert actual.stime == datetime.datetime(2020, 6, 13, 21, 4, 23, tzinfo=UTC()) assert actual.susec == 748591 actual = kerb.parse_kerberos_token(actual, encoding='utf-8') assert actual['pvno'] == 5 assert actual['msg-type'] == 'KRB-ERROR (30)' assert actual['ctime'] is None assert actual['cusec'] is None assert actual['stime'] == '2020-06-13T21:04:23+00:00' assert actual['susec'] == 748591 assert actual['error-code'] == 'KDC_ERR_PREAUTH_REQUIRED (25)' assert actual['crealm'] is None assert actual['cname'] is None assert actual['realm'] == 'DOMAIN.LOCAL' assert actual['sname']['name-type'] == 'NT-SRV-INST (2)' assert actual['sname']['name-string'] == ['krbtgt', 'DOMAIN.LOCAL'] assert actual['e-text'] is None assert isinstance(actual['e-data'], text_type)
def test_unpack_neg_token_init(): data = get_data('initial_context_token_neg_token_init') actual = sp.unpack_token(data) assert isinstance(actual, sp.NegTokenInit) assert actual.hint_address is None assert actual.hint_name is None assert actual.mech_list_mic is None assert isinstance(actual.mech_token, bytes) assert actual.mech_types == [ '1.2.840.113554.1.2.2', '1.3.6.1.4.1.311.2.2.10' ] assert actual.req_flags is None actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.InitialContextToken) assert actual.this_mech == GSSMech.spnego.value assert isinstance(actual.token, sp.NegTokenInit)
def test_unpack_neg_token_init2(): data = get_data('initial_context_token_neg_token_init2') actual = sp.unpack_token(data) assert isinstance(actual, sp.NegTokenInit) assert actual.hint_address is None assert actual.hint_name == b'not_defined_in_RFC4178@please_ignore' assert actual.mech_list_mic is None assert actual.mech_token is None assert actual.mech_types == [ '1.3.6.1.4.1.311.2.2.30', '1.2.840.48018.1.2.2', '1.2.840.113554.1.2.2', '1.2.840.113554.1.2.2.3', '1.3.6.1.4.1.311.2.2.10' ] assert actual.req_flags is None actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, sp.InitialContextToken) assert actual.this_mech == GSSMech.spnego.value assert isinstance(actual.token, sp.NegTokenInit)
def test_pack_neg_token_resp(): token = sp.NegTokenResp(sp.NegState.request_mic, GSSMech.ntlm.value, b"\x00\x00\x00\x00", b"\x01\x01\x01\x01") actual = token.pack() assert actual == b"\xA1\x25\x30\x23\xA0\x03\x0A\x01\x03\xA1\x0C\x06\x0A\x2B\x06\x01" \ b"\x04\x01\x82\x37\x02\x02\x0A\xA2\x06\x04\x04\x00\x00\x00\x00\xA3" \ b"\x06\x04\x04\x01\x01\x01\x01" token = sp.unpack_token(actual) assert token.neg_state == sp.NegState.request_mic assert token.supported_mech == GSSMech.ntlm.value assert token.response_token == b"\x00\x00\x00\x00" assert token.mech_list_mic == b"\x01\x01\x01\x01"
def test_unpack_unknown_krb(): sequence = pack_asn1_sequence([ pack_asn1(TagClass.context_specific, True, 0, pack_asn1_integer(5)), pack_asn1(TagClass.context_specific, True, 1, pack_asn1_integer(0)), ]) actual = sp.unpack_token(sequence, unwrap=True) assert isinstance(actual, kerb.KerberosV5Msg) assert actual.PVNO == 5 assert isinstance(actual.sequence, dict) assert actual.sequence[0].tag_class == TagClass.universal assert not actual.sequence[0].constructed assert actual.sequence[0].tag_number == TypeTagNumber.integer assert actual.sequence[0].b_data == b'\x05' assert actual.sequence[1].tag_class == TagClass.universal assert not actual.sequence[1].constructed assert actual.sequence[1].tag_number == TypeTagNumber.integer assert actual.sequence[1].b_data == b'\x00'
def test_pack_neg_token_init(): token = sp.NegTokenInit([GSSMech.kerberos.value, GSSMech.ntlm.value], sp.ContextFlags.anon, b"\x00\x00\x00\x00", mech_list_mic=b"\x01\x01\x01\x01") actual = token.pack() assert actual == b"\x60\x3D\x06\x06\x2B\x06\x01\x05\x05\x02\xA0\x33\x30\x31\xA0\x19" \ b"\x30\x17\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x06\x0A\x2B" \ b"\x06\x01\x04\x01\x82\x37\x02\x02\x0A\xA1\x04\x03\x02\x00\x04\xA2" \ b"\x06\x04\x04\x00\x00\x00\x00\xA3\x06\x04\x04\x01\x01\x01\x01" token = sp.unpack_token(actual) assert token.mech_types == [ '1.2.840.113554.1.2.2', '1.3.6.1.4.1.311.2.2.10' ] assert token.req_flags == sp.ContextFlags.deleg assert token.mech_token == b"\x00\x00\x00\x00" assert token.hint_name is None assert token.hint_address is None assert token.mech_list_mic == b"\x01\x01\x01\x01"
def test_unpack_krb_as_rep(): data = get_data('krb_as_rep') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, kerb.KrbAsRep) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.as_rep assert actual.cname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.principal, [b'vagrant-domain']) assert actual.crealm == b'DOMAIN.LOCAL' assert isinstance(actual.enc_part.cipher, bytes) assert actual.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.enc_part.kvno == 11 assert isinstance(actual.padata, list) assert len(actual.padata) == 1 assert actual.padata[0].data_type == kerb.KerberosPADataType.etype_info2 assert actual.padata[0].b_value == b"\x30\x25\x30\x23\xA0\x03\x02\x01\x12\xA1\x1C\x1B\x1A\x44\x4F\x4D" \ b"\x41\x49\x4E\x2E\x4C\x4F\x43\x41\x4C\x76\x61\x67\x72\x61\x6E\x74" \ b"\x2D\x64\x6F\x6D\x61\x69\x6E" pa1_val = actual.padata[0].value assert isinstance(pa1_val, list) assert len(pa1_val) == 1 assert pa1_val[ 0].etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert pa1_val[0].salt == b"DOMAIN.LOCALvagrant-domain" assert pa1_val[0].s2kparams is None assert isinstance(actual.ticket.enc_part.cipher, bytes) assert actual.ticket.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert actual.ticket.enc_part.kvno == 2 assert actual.ticket.realm == b'DOMAIN.LOCAL' assert actual.ticket.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_inst, [b'krbtgt', b'DOMAIN.LOCAL']) assert actual.ticket.tkt_vno == 5 # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert actual['pvno'] == 5 assert actual['msg-type'] == 'AS-REP (11)' assert isinstance(actual['padata'], list) assert len(actual['padata']) == 1 assert actual['padata'][0]['padata-type'] == 'PA-ETYPE-INFO2 (19)' assert isinstance(actual['padata'][0]['padata-value'], list) assert len(actual['padata'][0]['padata-value']) == 1 assert actual['padata'][0]['padata-value'][0][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['padata'][0]['padata-value'][0][ 'salt'] == '444F4D41494E2E4C4F43414C76616772616E742D646F6D61696E' assert actual['padata'][0]['padata-value'][0]['s2kparams'] is None assert actual['crealm'] == 'DOMAIN.LOCAL' assert actual['cname']['name-type'] == 'NT-PRINCIPAL (1)' assert actual['cname']['name-string'] == ['vagrant-domain'] assert actual['ticket']['tkt-vno'] == 5 assert actual['ticket']['realm'] == 'DOMAIN.LOCAL' assert actual['ticket']['sname']['name-type'] == 'NT-SRV-INST (2)' assert actual['ticket']['sname']['name-string'] == [ 'krbtgt', 'DOMAIN.LOCAL' ] assert actual['ticket']['enc-part'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['ticket']['enc-part']['kvno'] == 2 assert isinstance(actual['ticket']['enc-part']['cipher'], text_type) assert actual['enc-part']['etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['enc-part']['kvno'] == 11 assert isinstance(actual['enc-part']['cipher'], text_type)
def test_unpack_krb_tgs_req(): data = get_data('krb_tgs_req') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, kerb.KrbTgsReq) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.tgs_req assert isinstance(actual.padata, list) assert len(actual.padata) == 1 assert actual.padata[0].data_type == kerb.KerberosPADataType.tgs_req assert isinstance(actual.padata[0].b_value, bytes) pa1_val = actual.padata[0].value assert pa1_val.PVNO == 5 assert pa1_val.MESSAGE_TYPE == kerb.KerberosMessageType.ap_req assert pa1_val.ap_options == 0 assert isinstance(pa1_val.authenticator.cipher, bytes) assert pa1_val.authenticator.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert pa1_val.authenticator.kvno is None assert isinstance(pa1_val.ticket.enc_part.cipher, bytes) assert pa1_val.ticket.enc_part.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert pa1_val.ticket.enc_part.kvno == 2 assert pa1_val.ticket.realm == b'DOMAIN.LOCAL' assert pa1_val.ticket.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_inst, [b'krbtgt', b'DOMAIN.LOCAL']) assert pa1_val.ticket.tkt_vno == 5 assert actual.req_body.additional_tickets is None assert actual.req_body.addresses is None assert actual.req_body.cname is None assert actual.req_body.enc_authorization_data is None assert actual.req_body.etype == [ kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96, kerb.KerberosEncryptionType.aes128_cts_hmac_sha1_96, kerb.KerberosEncryptionType.des3_cbc_sha1, kerb.KerberosEncryptionType.rc4_hmac ] assert actual.req_body.kdc_options == 1073807360 assert actual.req_body.nonce == 333512069 assert actual.req_body.postdated_from is None assert actual.req_body.postdated_till == datetime.datetime(1970, 1, 1, 0, 0, 0, tzinfo=UTC()) assert actual.req_body.realm == b'DOMAIN.LOCAL' assert actual.req_body.rtime is None assert actual.req_body.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_hst, [b'HTTP', b'server2019.domain.local']) # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert actual['pvno'] == 5 assert actual['msg-type'] == 'TGS-REQ (12)' assert isinstance(actual['padata'], list) assert len(actual['padata']) == 1 assert actual['padata'][0]['padata-type'] == 'PA-TGS-REQ (1)' assert actual['padata'][0]['padata-value']['pvno'] == 5 assert actual['padata'][0]['padata-value']['msg-type'] == 'AP-REQ (14)' assert actual['padata'][0]['padata-value']['ap-options']['raw'] == 0 assert actual['padata'][0]['padata-value']['ap-options']['flags'] == [] assert actual['padata'][0]['padata-value']['ticket']['tkt-vno'] == 5 assert actual['padata'][0]['padata-value']['ticket'][ 'realm'] == 'DOMAIN.LOCAL' assert actual['padata'][0]['padata-value']['ticket']['sname'][ 'name-type'] == 'NT-SRV-INST (2)' assert actual['padata'][0]['padata-value']['ticket']['sname'][ 'name-string'] == ['krbtgt', 'DOMAIN.LOCAL'] assert actual['padata'][0]['padata-value']['ticket']['enc-part'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['padata'][0]['padata-value']['ticket']['enc-part'][ 'kvno'] == 2 assert isinstance( actual['padata'][0]['padata-value']['ticket']['enc-part']['cipher'], text_type) assert actual['padata'][0]['padata-value']['authenticator'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['padata'][0]['padata-value']['authenticator']['kvno'] is None assert isinstance( actual['padata'][0]['padata-value']['authenticator']['cipher'], text_type) assert actual['req-body']['kdc-options']['raw'] == 1073807360 assert actual['req-body']['kdc-options']['flags'] == [ 'forwardable (1073741824)', 'canonicalize (65536)' ] assert actual['req-body']['cname'] is None assert actual['req-body']['realm'] == 'DOMAIN.LOCAL' assert actual['req-body']['sname']['name-type'] == 'NT-SRV-HST (3)' assert actual['req-body']['sname']['name-string'] == [ 'HTTP', 'server2019.domain.local' ] assert actual['req-body']['from'] is None assert actual['req-body']['till'] == '1970-01-01T00:00:00+00:00' assert actual['req-body']['rtime'] is None assert actual['req-body']['etype'] == [ 'AES256_CTS_HMAC_SHA1_96 (18)', 'AES128_CTS_HMAC_SHA1_96 (17)', 'DES3_CBC_SHA1 (16)', 'RC4_HMAC (23)' ] assert actual['req-body']['addresses'] is None assert actual['req-body']['enc-authorization-data'] is None assert actual['req-body']['additional-tickets'] is None
def test_unpack_krb_as_req(): data = get_data('krb_as_req') actual = sp.unpack_token(data) assert actual == data actual = sp.unpack_token(data, unwrap=True) assert isinstance(actual, kerb.KrbAsReq) assert actual.PVNO == 5 assert actual.MESSAGE_TYPE == kerb.KerberosMessageType.as_req assert isinstance(actual.padata, list) assert len(actual.padata) == 2 assert actual.padata[0].data_type == kerb.KerberosPADataType.enc_timestamp assert actual.padata[0].b_value == b"\x30\x41\xA0\x03\x02\x01\x12\xA2\x3A\x04\x38\x07\x40\x46\x03\xA8" \ b"\x69\xC9\x31\x76\xE2\x8E\xDA\xD1\x34\xCE\x7F\xC4\xC8\x73\x58\x0D" \ b"\xF4\x61\x1C\x85\x5F\x43\xF6\xAA\x9E\x48\xE2\xF0\x8C\xC2\x88\x70" \ b"\xAA\xBC\xF0\xF7\xF2\xD4\xA2\xC2\xE3\x53\xDE\x81\xF7\x30\x2F\xAF" \ b"\x7C\x85\x12" pa1_val = actual.padata[0].value assert isinstance(pa1_val, kerb.EncryptedData) assert pa1_val.etype == kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96 assert pa1_val.kvno is None assert pa1_val.cipher == b"\x07\x40\x46\x03\xA8\x69\xC9\x31\x76\xE2\x8E\xDA\xD1\x34\xCE\x7F" \ b"\xC4\xC8\x73\x58\x0D\xF4\x61\x1C\x85\x5F\x43\xF6\xAA\x9E\x48\xE2" \ b"\xF0\x8C\xC2\x88\x70\xAA\xBC\xF0\xF7\xF2\xD4\xA2\xC2\xE3\x53\xDE" \ b"\x81\xF7\x30\x2F\xAF\x7C\x85\x12" assert actual.padata[1].data_type == 149 assert actual.padata[1].b_value == b"" assert actual.padata[1].value == b"" assert isinstance(actual.req_body, kerb.KdcReqBody) assert actual.req_body.additional_tickets is None assert actual.req_body.addresses is None assert actual.req_body.cname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.principal, [b'vagrant-domain']) assert actual.req_body.enc_authorization_data is None assert actual.req_body.etype == [ kerb.KerberosEncryptionType.aes256_cts_hmac_sha1_96, kerb.KerberosEncryptionType.aes128_cts_hmac_sha1_96, kerb.KerberosEncryptionType.des3_cbc_sha1, kerb.KerberosEncryptionType.rc4_hmac ] assert actual.req_body.kdc_options == 1073741824 assert actual.req_body.nonce == 734266074 assert actual.req_body.postdated_from is None assert actual.req_body.postdated_till == datetime.datetime(2020, 6, 14, 7, 4, 20, tzinfo=UTC()) assert actual.req_body.realm == b'DOMAIN.LOCAL' assert actual.req_body.rtime is None assert actual.req_body.sname == kerb.PrincipalName( kerb.KerberosPrincipalNameType.srv_inst, [b'krbtgt', b'DOMAIN.LOCAL']) # Test pyspnego-parse dict. actual = kerb.parse_kerberos_token(actual) assert isinstance(actual, dict) assert actual['pvno'] == 5 assert actual['msg-type'] == 'AS-REQ (10)' assert isinstance(actual['padata'], list) assert len(actual['padata']) == 2 assert actual['padata'][0]['padata-type'] == 'PA-ENC-TIMESTAMP (2)' assert actual['padata'][0]['padata-value'][ 'etype'] == 'AES256_CTS_HMAC_SHA1_96 (18)' assert actual['padata'][0]['padata-value']['kvno'] is None assert actual['padata'][0]['padata-value']['cipher'] == '07404603A869C93176E28EDAD134CE7F' \ 'C4C873580DF4611C855F43F6AA9E48E2' \ 'F08CC28870AABCF0F7F2D4A2C2E353DE' \ '81F7302FAF7C8512' assert actual['padata'][1]['padata-type'] == 'PA-REQ-ENC-PA-REP (149)' assert actual['padata'][1]['padata-value'] == '' assert actual['req-body']['kdc-options']['raw'] == 1073741824 assert actual['req-body']['kdc-options']['flags'] == [ 'forwardable (1073741824)' ] assert actual['req-body']['cname']['name-type'] == 'NT-PRINCIPAL (1)' assert actual['req-body']['cname']['name-string'] == ['vagrant-domain'] assert actual['req-body']['realm'] == 'DOMAIN.LOCAL' assert actual['req-body']['sname']['name-type'] == 'NT-SRV-INST (2)' assert actual['req-body']['sname']['name-string'] == [ 'krbtgt', 'DOMAIN.LOCAL' ] assert actual['req-body']['from'] is None assert actual['req-body']['till'] == '2020-06-14T07:04:20+00:00' assert actual['req-body']['rtime'] is None assert actual['req-body']['nonce'] == 734266074 assert actual['req-body']['etype'] == [ 'AES256_CTS_HMAC_SHA1_96 (18)', 'AES128_CTS_HMAC_SHA1_96 (17)', 'DES3_CBC_SHA1 (16)', 'RC4_HMAC (23)' ] assert actual['req-body']['addresses'] is None assert actual['req-body']['enc-authorization-data'] is None assert actual['req-body']['additional-tickets'] is None
def test_unpack_initial_context_token_invalid_context_specific_tag(): data = pack_asn1(TagClass.context_specific, True, 2, b"\x00\x00\x00\x00") expected = "Unknown NegotiationToken CHOICE 2, only expecting 0 or 1" with pytest.raises(ValueError, match=expected): sp.unpack_token(data)
def test_unpack_initial_context_token_invalid_application_tag(): data = pack_asn1(TagClass.application, True, 1, b"\x00\x00\x00\x00") expected = "Expecting a tag number of 0 not 1 for InitialContextToken" with pytest.raises(ValueError, match=expected): sp.unpack_token(data)
def _step_spnego_input(self, in_token=None): mech_list_mic = None token = None is_spnego = True if in_token: in_token = unpack_token(in_token) if isinstance(in_token, NegTokenInit): mech_list_mic = in_token.mech_list_mic token = in_token.mech_token # This is the first token of the exchange, we should build our context list based on the mechs the # opposite end supports. mech_list = self._rebuild_context_list( mech_types=in_token.mech_types) if self.usage == 'initiate': # If initiate processes a NegTokenInit2 token that's just used as a hint, use the actually # supported mechs as the true mech list. self._mech_list = mech_list else: # If accept processes a NegTokenInit token we treat that as an actual init is sent so it does not # send it's own and uses the initiate mech list as the true mech list. self._init_sent = True self._mech_list = in_token.mech_types elif isinstance(in_token, NegTokenResp): mech_list_mic = in_token.mech_list_mic token = in_token.response_token # If we have received the supported_mech then we don't need to send our own. if in_token.supported_mech: if in_token.supported_mech != self._chosen_mech.value: self._mic_required = True self.__chosen_mech = GSSMech.from_oid( in_token.supported_mech) self._mech_sent = True # Raise exception if we are rejected and have no error info (mechToken) that will give us more info. if in_token.neg_state == NegState.reject and not token: raise InvalidTokenError( context_msg= "Received SPNEGO rejection with no token error message" ) if in_token.neg_state == NegState.request_mic: self._mic_required = True elif in_token.neg_state == NegState.accept_complete: self._complete = True else: # This usually indicates the token is a raw NTLM or Kerberos token, return as is. is_spnego = False token = in_token self.__chosen_mech = GSSMech.ntlm if token.startswith( b"NTLMSSP\x00") else GSSMech.kerberos if not self._context_list: self._rebuild_context_list( mech_types=[self.__chosen_mech.value]) else: self._mech_list = self._rebuild_context_list() return token, mech_list_mic, is_spnego