Kerberos smart card credentials handling #143
Conversation
…oty context builder that allows us to transform builder into another with another authdata type
… handle builder that allows us to transform builder into another with another authdata type
…text builder that allows us to transform builder into another with another credshandle type
…regular auth identity and smart card creds;
…egular auth identity and smart card creds
…transform function for the created builder
…sform function for the created builder; feat(sspi): builder: acq_cred_handle: implemnt `.transform` method for the AcquireCredentialsHandleResult;
…nsform function for the created builder. Implement credentials_handle_mut function
…gular auth identity and smart card creds
…ass regular auth identity and smart card creds
…of AuthIdentityu/AuthIdentityBuffers
… general CredentialsBuffers structure. replace custom ber encoding with structures from the picky-krb crate;
…dentials changes;
…e hardcoded values;
…e fileds to the smart card creds;
…, reader_name, etc) extraction;
There was a problem hiding this comment.
Looking good.
I didn't change the
credentials_handletype of the CredSSP client because of backward compatibility with the IronRDP that doesn't support smart card logon yet.
You can introduce a breaking change if necessary. We’ll increase the version number as appropriate and fix downstream code (IronRDP). I guess it would not be too hard in this case.
Improved the ffi bindings. Now users can pass the smart card credentials using the AcquireCredentialsHandleA/W function. How it works: the smart card credentials are always marshaled into a string that always starts with the "@" character.
Any opinion? @awakecoding
|
I improved the |
TheBestTvarynka
force-pushed
the
kerberos-smart-card-credentials
branch
from
05bcb41
to
d20660d
Compare
…_identity_buffers
…l:7999/wkn/sspi-rs into kerberos-smart-card-credentials
ffi/src/sec_winnt_auth_identity.rs
Outdated
| @@ -263,7 +265,7 @@ pub unsafe fn auth_data_to_identity_buffers_w( | |||
|
|
|||
| // only marshaled smart card creds starts with '@' char | |||
| #[cfg(feature = "scard")] | |||
| if user[0] == b'@' { | |||
| if user[0] == b'@' && CredIsMarshaledCredentialW(user.as_ptr() as *const _) != 0 { | |||
There was a problem hiding this comment.
calling CredIsMarshaledCredentialW should be enough, it checks for @@ under the hood anyway. maybe the only potential issue is that CredIsMarshaledCredentialW could return true for types other than 1
|
This is looking good to me. Do we need to publish a new version of the Rust crate, or should this wait for the follow-up PRs? |
|
Wait for follow up prs. I have 2 more pull requests |
This adds Kerberos smart card credentials handling. Note: it doesn't contain actual smart card logon implementation or code for working with smart cards (follow-up patches incoming). - Adds the `scard` feature to enable the smart card logon. This feature is only supported on Windows. - Improves the `ffi` bindings. Now users can pass the smart card credentials using the `AcquireCredentialsHandleA/W` function. How it works: the smart card credentials are always marshaled into a string that always starts with the "@" character. - Adds a `CredentialsBuffers`, `Credentials`, `SmartCardIdentityBuffers`, and `SmartCardIdentity` structure to be able to handle any kind of credentials. - Improves `TsCredentials` encoding. For the `TsCredentials`, `TsSmartCardCreds`, and `TsCspDataDetail` structures I use the `picky-krb` crate. References: * [MS-CSSP: TSCredentials](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/94a1ab00-5500-42fd-8d3d-7a84e6c2cf03). * [CredUnmarshalCredentialW](https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credunmarshalcredentialw).
Hello,
In this PR I've added Kerberos smart card credentials handling. Note: it doesn't contain actual smart card logon implementation or code for working with smart cards (they will be in other PRs).
Changes overview:
ffibindings. Now users can pass the smart card credentials using theAcquireCredentialsHandleA/Wfunction. How it works: the smart card credentials are always marshaled into a string that always starts with the "@" character.CredentialsBuffers,Credentials,SmartCardIdentityBuffers, andSmartCardIdentitystructure to be able to handle any kind of credentials.credentials_handletype of the CredSSP client because of backward compatibility with the IronRDP that doesn't support smart card logon yet.TsCredentials,TsSmartCardCreds, andTsCspDataDetailstructures I use thepicky-krbcrate. See the corresponding PR: picky-krb: CredSSP credentials structures picky-rs#233.Docs & references: