tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, key)
+ self.verify_ticket(tgt, key, service_ticket=False)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+ self.verify_ticket(service_ticket, key, service_ticket=True,
+ expect_ticket_checksum=True)
def test_mit_ticket_signature(self):
# Ensure that a DC does not issue tickets signed with its krbtgt key.
tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, key)
+ self.verify_ticket(tgt, key, service_ticket=False)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC does not contain the expected checksums.
- self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+ self.verify_ticket(service_ticket, key, service_ticket=True,
+ expect_ticket_checksum=False)
def as_pre_auth_req(self, creds, etypes):
user = creds.get_username()
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
self.verify_ticket(service_ticket_creds, krbtgt_key,
- expect_pac=expect_pac,
+ service_ticket=True, expect_pac=expect_pac,
expect_ticket_checksum=self.tkt_sig_support)
self.tkt_cache[cache_key] = service_ticket_creds
self.assertIsNotNone(ticket_decryption_key)
if ticket_decryption_key is not None:
- self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac,
+ service_ticket = (not self.is_tgs(expected_sname)
+ and rep_msg_type == KRB_TGS_REP)
+ self.verify_ticket(ticket_creds, krbtgt_keys,
+ service_ticket=service_ticket,
+ expect_pac=expect_pac,
expect_ticket_checksum=expect_ticket_checksum
or self.tkt_sig_support)
expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
- if not self.is_tgs(expected_sname):
+ if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP:
expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO}
if not self.tkt_sig_support:
require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
- expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP
+ expect_extra_pac_buffers = self.is_tgs(expected_sname)
expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs']
ticket_blob)
self.assertEqual(expected_checksum, checksum)
- def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True,
+ def verify_ticket(self, ticket, krbtgt_keys, service_ticket,
+ expect_pac=True,
expect_ticket_checksum=True):
- # Check if the ticket is a TGT.
- is_tgt = self.is_tgt(ticket)
-
# Decrypt the ticket.
key = ticket.decryption_key
kdc_ctype,
kdc_checksum)
- if is_tgt:
+ if not service_ticket:
self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums)
else:
ticket_checksum, ticket_ctype = checksums.get(
tgt = self.get_tgt(user_creds, to_rodc=True)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, rodc_key)
+ self.verify_ticket(tgt, rodc_key, service_ticket=False)
# Get a service ticket from the RODC.
service_ticket = self.get_service_ticket(tgt, target_creds,
to_rodc=True)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(service_ticket, rodc_key)
+ self.verify_ticket(service_ticket, rodc_key, service_ticket=True)
if __name__ == "__main__":