services/console-proxy-rdp/rdpconsole/src/main/java/rdpclient/ntlmssp/asn1/TSRequest.java

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
package rdpclient.ntlmssp.asn1;

import streamer.ByteBuffer;
import common.asn1.Asn1Integer;
import common.asn1.OctetString;
import common.asn1.Sequence;
import common.asn1.Tag;

/**
 * The TSRequest structure is the top-most structure used by the CredSSP client
 * and CredSSP server. It contains the SPNEGO messages between the client and
 * server, and either the public key authentication messages that are used to
 * bind to the TLS session or the client credentials that are delegated to the
 * server. The TSRequest message is always sent over the TLS-encrypted channel
 * between the client and server in a CredSSP Protocol exchange (see step 1 in
 * section 3.1.5).
 *
 * <pre>
 * TSRequest ::= SEQUENCE {
 *   version       [0] INTEGER,
 *   negoTokens    [1] NegoData OPTIONAL,
 *   authInfo      [2] OCTET STRING OPTIONAL,
 *   pubKeyAuth    [3] OCTET STRING OPTIONAL
 * }
 *
 * </pre>
 * <ul>
 *
 * <li>version: This field specifies the supported version of the CredSSP
 * Protocol. This field MUST be 2. If the version is greater than 2, a version 2
 * client or server treats its peer as one that is compatible with version 2 of
 * the CredSSP Protocol.
 *
 * <li>negoTokens: A NegoData structure, as defined in section 2.2.1.1, that
 * contains the SPNEGO messages that are passed between the client and server.
 *
 * <li>authInfo: A TSCredentials structure, as defined in section 2.2.1.2, that
 * contains the user's credentials that are delegated to the server. The
 * authinfo field <b>MUST be encrypted</b> under the encryption key that is
 * negotiated under the SPNEGO package.
 *
 * <li>pubKeyAuth: This field is used to assure that the public key that is used
 * by the server during the TLS handshake belongs to the target server and not
 * to a "man in the middle". The client encrypts the public key it received from
 * the server (contained in the X.509 certificate) in the TLS handshake from
 * step 1, by using the confidentiality support of SPNEGO. The public key that
 * is encrypted is the ASN.1-encoded SubjectPublicKey sub-field of
 * SubjectPublicKeyInfo from the X.509 certificate, as specified in [RFC3280]
 * section 4.1. The encrypted key is encapsulated in the pubKeyAuth field of the
 * TSRequest structure and is sent over the TLS channel to the server. After the
 * client completes the SPNEGO phase of the CredSSP Protocol, it uses
 * GSS_WrapEx() for the negotiated protocol to encrypt the server's public key.
 * The pubKeyAuth field carries the message signature and then the encrypted
 * public key to the server. In response, the server uses the pubKeyAuth field
 * to transmit to the client a modified version of the public key (as described
 * in section 3.1.5) that is encrypted under the encryption key that is
 * negotiated under SPNEGO.
 * </ul>
 *
 * @see http://msdn.microsoft.com/en-us/library/cc226780.aspx
 */
public class TSRequest extends Sequence {
    public Asn1Integer version = new Asn1Integer("version") {
        {
            explicit = true;
            tagClass = CONTEXT_CLASS;
            tagNumber = 0;
        }
    };
    public NegoData negoTokens = new NegoData("negoTokens") {
        {
            explicit = true;
            tagClass = CONTEXT_CLASS;
            tagNumber = 1;
            optional = true;
        }
    };
    public OctetString authInfo = new OctetString("authInfo") {
        {
            explicit = true;
            tagClass = CONTEXT_CLASS;
            tagNumber = 2;
            optional = true;
        }
    };
    public OctetString pubKeyAuth = new OctetString("pubKeyAuth") {
        {
            explicit = true;
            tagClass = CONTEXT_CLASS;
            tagNumber = 3;
            optional = true;
        }
    };

    public TSRequest(String name) {
        super(name);
        tags = new Tag[] {version, negoTokens, authInfo, pubKeyAuth};
    }

    @Override
    public Tag deepCopy(String suffix) {
        return new TSRequest(name + suffix).copyFrom(this);
    }

    /**
     * Example.
     */
    public static void main(String[] args) {

        /* @formatter:off */
        byte[] packet = new byte[] {
                0x30, (byte) 0x82, 0x01, 0x02, // TAG: [UNIVERSAL 16] (constructed) "SEQUENCE" LEN: 258 bytes
                (byte) 0xa0, 0x03, // TAG: [0] (constructed) LEN: 3 bytes
                0x02, 0x01, 0x03,  // TAG: [UNIVERSAL 2] (primitive) "INTEGER" LEN: 1 bytes, Version: 0x3
                (byte) 0xa1, (byte) 0x81, (byte) 0xfa, // TAG: [1] (constructed) LEN: 250 bytes
                0x30, (byte) 0x81, (byte) 0xf7, // TAG: [UNIVERSAL 16] (constructed) "SEQUENCE" LEN: 247 bytes
                0x30, (byte) 0x81, (byte) 0xf4, // TAG: [UNIVERSAL 16] (constructed) "SEQUENCE" LEN: 244 bytes
                (byte) 0xa0, (byte) 0x81, (byte) 0xf1, // TAG: [0] (constructed) LEN: 241 bytes
                0x04, (byte) 0x81, (byte) 0xee, // TAG: [UNIVERSAL 4] (primitive) "OCTET STRING" LEN: 238 bytes

                0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, // "NTLMSSP\0"

                0x02, 0x00, 0x00, 0x00, // MessageType (CHALLENGE)
                0x1e, 0x00, 0x1e, 0x00, 0x38, 0x00, 0x00, 0x00, // TargetName (length: 30, allocated space: 30, offset: 56)
                0x35, (byte) 0x82, (byte) 0x8a, (byte) 0xe2, // NegotiateFlags TODO
                0x52, (byte) 0xbe, (byte) 0x83, (byte) 0xd1, (byte) 0xf8, (byte) 0x80, 0x16, 0x6a,  //  ServerChallenge
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //  Reserved
                (byte) 0x98, 0x00, (byte) 0x98, 0x00, 0x56, 0x00, 0x00, 0x00, // TargetInfo (length: 152, allocated space: 152, offset: 86)
                0x06, 0x03, (byte) 0xd7, 0x24, 0x00, 0x00, 0x00, 0x0f,  // Version (6.3, build 9431) , NTLM current revision: 15


                0x57, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x2d, 0x00, 0x4c, 0x00, 0x4f, 0x00, 0x34, 0x00, 0x31, 0x00, 0x39, 0x00, 0x42, 0x00, 0x32, 0x00, 0x4c, 0x00, 0x53, 0x00, 0x52, 0x00, 0x30, 0x00,  // Target name value: "WIN-LO419B2LSR0"

                // Target Info value:

                // Attribute list

                0x02, 0x00, // Item Type: NetBIOS domain name (0x0002, LE)
                0x1e, 0x00, //  Item Length: 30 (LE)
                0x57, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x2d, 0x00, 0x4c, 0x00, 0x4f, 0x00, 0x34, 0x00, 0x31, 0x00, 0x39, 0x00, 0x42, 0x00, 0x32, 0x00, 0x4c, 0x00, 0x53, 0x00, 0x52, 0x00, 0x30, 0x00, // "WIN-LO419B2LSR0"

                0x01, 0x00,  //  Item Type: NetBIOS computer name (0x0001, LE)
                0x1e, 0x00, //  Item Length: 30 (LE)
                0x57, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x2d, 0x00, 0x4c, 0x00, 0x4f, 0x00, 0x34, 0x00, 0x31, 0x00, 0x39, 0x00, 0x42, 0x00, 0x32, 0x00, 0x4c, 0x00, 0x53, 0x00, 0x52, 0x00, 0x30, 0x00, // "WIN-LO419B2LSR0"

                0x04, 0x00,  // Item Type: DNS domain name (0x0004, LE)
                0x1e, 0x00, //  Item Length: 30 (LE)
                0x57, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x2d, 0x00, 0x4c, 0x00, 0x4f, 0x00, 0x34, 0x00, 0x31, 0x00, 0x39, 0x00, 0x42, 0x00, 0x32, 0x00, 0x4c, 0x00, 0x53, 0x00, 0x52, 0x00, 0x30, 0x00, // "WIN-LO419B2LSR0"

                0x03, 0x00,  // Item Type: DNS computer name (0x0003, LE)
                0x1e, 0x00, //  Item Length: 30 (LE)
                0x57, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x2d, 0x00, 0x4c, 0x00, 0x4f, 0x00, 0x34, 0x00, 0x31, 0x00, 0x39, 0x00, 0x42, 0x00, 0x32, 0x00, 0x4c, 0x00, 0x53, 0x00, 0x52, 0x00, 0x30, 0x00, // "WIN-LO419B2LSR0"

                0x07, 0x00,  // Item Type: Timestamp (0x0007, LE)
                0x08, 0x00, //  Item Length: 8 (LE)
                (byte) 0x99, 0x4f, 0x02, (byte) 0xd8, (byte) 0xf4, (byte) 0xaf, (byte) 0xce, 0x01, // TODO

                // Attribute: End of list
                0x00, 0x00,
                0x00, 0x00,
        };
        /* @formatter:on */

        TSRequest request = new TSRequest("TSRequest");

        // Read request from buffer
        // System.out.println("Request BER tree before parsing: " + request);
        ByteBuffer toReadBuf = new ByteBuffer(packet);
        request.readTag(toReadBuf);
        // System.out.println("Request BER tree after parsing: " + request);

        // System.out.println("version value: " + request.version.value);
        // System.out.println("negoToken value: " + ((NegoItem)
        // request.negoTokens.tags[0]).negoToken.value);

        // Write request to buffer and compare with original
        ByteBuffer toWriteBuf = new ByteBuffer(packet.length + 100, true);
        request.writeTag(toWriteBuf);
        toWriteBuf.trimAtCursor();

        if (!toReadBuf.equals(toWriteBuf))
            throw new RuntimeException("Data written to buffer is not equal to data read from buffer. \nExpected: " + toReadBuf + "\nActual: " + toWriteBuf + ".");
    }

}