password decrypt

crypto/EncryptionEngine.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"github.com/jcmturner/gokrb5/types"
 	"hash"
+	"encoding/hex"
 )
 
 type EType interface {
@@ -150,6 +151,43 @@ func DecryptEncPart(key []byte, pe types.EncryptedData, etype EType, usage uint3
 	return b, nil
 }
 
+func GetKeyFromPassword(passwd string, cn types.PrincipalName, realm string, etypeId int, pas types.PADataSequence) ([]byte, EType, error) {
+	var key []byte
+	var etype EType
+	for _, pa := range pas {
+		if pa.PADataType == 19 {
+			var et2 types.ETypeInfo2
+			err := et2.Unmarshal(pa.PADataValue)
+			if err != nil {
+				return key, etype, fmt.Errorf("Error unmashalling PA Data to PA-ETYPE-INFO2: %v", err)
+			}
+			etype, err := GetEtype(et2[0].EType)
+			if err != nil {
+				return key, etype, fmt.Errorf("Error getting encryption type: %v", err)
+			}
+			sk2p := etype.GetDefaultStringToKeyParams()
+			if len(et2[0].S2KParams) == 8 {
+				sk2p = hex.EncodeToString(et2[0].S2KParams)
+			}
+			key, err := etype.StringToKey(passwd, et2[0].Salt, sk2p)
+			if err != nil {
+				return key, etype, fmt.Errorf("Error deriving key from string: %+v", err)
+			}
+			return key, etype, nil
+		}
+	}
+	etype, err := GetEtype(etypeId)
+	if err != nil {
+		return key, etype, fmt.Errorf("Error getting encryption type: %v", err)
+	}
+	sk2p := etype.GetDefaultStringToKeyParams()
+	key, err = etype.StringToKey(passwd, cn.GetSalt(realm), sk2p)
+	if err != nil {
+		return key, etype, fmt.Errorf("Error deriving key from string: %+v", err)
+	}
+	return key, etype, nil
+}
+
 func GetChecksum(pt, key []byte, usage int, etype EType) ([]byte, error) {
 	k, err := etype.DeriveKey(key, GetUsageKi(uint32(usage)))
 	if err != nil {

debug.go

@@ -27,7 +27,7 @@ func main() {
 	pas = append(pas, pa)
 
 	a := messages.NewASReq()
-	//a.PAData = pas
+	a.PAData = pas
 	a.ReqBody.Realm = realm
 	a.ReqBody.CName.NameString = []string{"testuser1"}
 	a.ReqBody.SName.NameType = 2
@@ -53,15 +53,21 @@ func main() {
 	kb, _ := hex.DecodeString(ktab)
 	kt, err := keytab.Parse(kb)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "KT load err: %v\n", err)
+		fmt.Fprintf(os.Stderr, "KT load err: %v\n\n", err)
 	}
 	fmt.Fprintf(os.Stdout, "KT: %+v", kt)
-	//err = r.DecryptEncPart(kt)
-	err = r.DecryptTemp("passwordvalue")
+	err = r.DecryptEncPartWithKeytab(kt)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Decrypt err: %v\n", err)
 	}
+	fmt.Fprintf(os.Stdout, "\n\nAS REP decrypted with keytab: %+v\n", r)
+
+	pswd := "passwordvalue"
+	err = r.DecryptEncPartWithPassword(pswd)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Decrypt err: %v\n", err)
+	}
+	fmt.Fprintf(os.Stdout, "\n\nAS REP decrypted with password: %+v\n", r)
 
-	fmt.Fprintf(os.Stdout, "AS REP: %+v\n", r)
 
 }

messages/KDCRep.go

@@ -4,7 +4,6 @@ package messages
 // Section: 5.4.2
 
 import (
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"github.com/jcmturner/asn1"
@@ -123,18 +122,8 @@ func (e *EncKDCRepPart) Unmarshal(b []byte) error {
 	return err
 }
 
-func (k *ASRep) DecryptTemp(passwd string) error {
-	etype, _ := crypto.GetEtype(k.EncPart.EType)
-	var et2 types.ETypeInfo2
-	et2.Unmarshal(k.PAData[0].PADataValue)
-	sk2p := etype.GetDefaultStringToKeyParams()
-	if len(et2[0].S2KParams) == 8 {
-		sk2p = hex.EncodeToString(et2[0].S2KParams)
-	}
-	key, err := etype.StringToKey(passwd, et2[0].Salt, sk2p)
-	if err != nil {
-		return fmt.Errorf("Error with string to key: %+v", et2)
-	}
+func (k *ASRep) DecryptEncPartWithPassword(passwd string) error {
+	key, etype, err := crypto.GetKeyFromPassword(passwd, k.CName, k.CRealm, k.EncPart.EType, k.PAData)
 	b, err := crypto.DecryptEncPart(key, k.EncPart, etype, USAGE_AS_REP_ENCPART)
 	if err != nil {
 		return fmt.Errorf("Error decrypting KDC_REP EncPart: %v", err)
@@ -148,34 +137,12 @@ func (k *ASRep) DecryptTemp(passwd string) error {
 	return nil
 }
 
-func (k *ASRep) DecryptEncPart(kt keytab.Keytab) error {
+func (k *ASRep) DecryptEncPartWithKeytab(kt keytab.Keytab) error {
 	etype, err := crypto.GetEtype(k.EncPart.EType)
 	if err != nil {
 		return fmt.Errorf("Error getting encryption type: %v", err)
 	}
-	var key []byte
-	for _, pa := range k.PAData {
-		if pa.PADataType == 19 {
-			var et2 types.ETypeInfo2
-			err := et2.Unmarshal(pa.PADataValue)
-			if err != nil {
-				return fmt.Errorf("Error unmashalling PA Data to PA-ETYPE-INFO2: %v", err)
-			}
-			etype, err := crypto.GetEtype(et2[0].EType)
-			if err != nil {
-				return fmt.Errorf("Error getting encryption type: %v", err)
-			}
-			sk2p := etype.GetDefaultStringToKeyParams()
-			if len(et2[0].S2KParams) == 8 {
-				sk2p = hex.EncodeToString(et2[0].S2KParams)
-			}
-			key, err = etype.StringToKey("TBA", et2[0].Salt, sk2p)
-			if err != nil {
-				return fmt.Errorf("Error with string to key: %+v", et2)
-			}
-		}
-	}
-	key, err = kt.GetKey(k.CName.NameString[0], k.CRealm, k.EncPart.KVNO, k.EncPart.EType)
+	key, err := kt.GetKey(k.CName.NameString[0], k.CRealm, k.EncPart.KVNO, k.EncPart.EType)
 	if err != nil {
 		return fmt.Errorf("Could not get key from keytab: %v", err)
 	}

types/PrincipalName.go

@@ -8,3 +8,11 @@ type PrincipalName struct {
 	NameString []string `asn1:"generalstring,explicit,tag:1"`
 }
 
+func (pn *PrincipalName) GetSalt(realm string) string {
+	var sb []byte
+	sb = append(sb, realm...)
+	for _, n := range pn.NameString {
+		sb = append(sb, n...)
+	}
+	return string(sb)
+}

types/PrincipalName_test.go

@@ -0,0 +1,15 @@
+package types
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+
+func TestPrincipalName_GetSalt(t *testing.T) {
+	pn := PrincipalName{
+		NameType: 1,
+		NameString: []string{"firststring", "secondstring"},
+	}
+	assert.Equal(t, "TEST.GOKRB5firststringsecondstring", pn.GetSalt("TEST.GOKRB5"), "Principal name default salt not as expected")
+}