1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
/*
* Type definitions for Group Key Distribution Service
*
* The below was initially obtained from MS-GKDI which is copyright © 2021
* Microsoft Corporation as permitted by the Open Specifications terms
* reproduced in IDL_LICENCE.txt.
*
* Only GetKey() was provided as IDL. The definitions of GroupKeyEnvelope,
* KdfParameters, and FfcDhParameters were derived from structure diagrams.
* KeyEnvelope was undocumented.
*/
#include "idl_types.h"
import "misc.idl";
[
uuid("b9785960-524f-11df-8b6d-83dcded72085"),
endpoint("ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
version(1.0),
pointer_default(unique),
helpstring("Active Directory Group Key Distribution Service")
]
interface gkdi
{
/* Public structures. */
typedef [bitmap32bit] bitmap {
ENVELOPE_FLAG_TRANSPORTING_PUBLIC_KEY = 0x00000001,
ENVELOPE_FLAG_KEY_MAY_ENCRYPT_NEW_DATA = 0x00000002
} EnvelopeFlags;
/*
* This is an undocumented type. It is similar to GroupKeyEnvelope, but
* with some fields omitted.
*/
typedef [public] struct {
uint32 version;
[value(0x4b53444b), range(0x4b53444b, 0x4b53444b)] uint32 magic; /* ‘KDSK’ */
EnvelopeFlags flags;
uint32 l0_index;
[range(0, 31)] uint32 l1_index;
[range(0, 31)] uint32 l2_index;
GUID root_key_id;
uint32 additional_info_len;
[value(2 * ndr_charset_length(domain_name, CH_UTF16))] uint32 domain_name_len;
[value(2 * ndr_charset_length(forest_name, CH_UTF16))] uint32 forest_name_len;
/*
* https://lists.samba.org/archive/cifs-protocol/2023-December/004170.html
* This is the public key blob of an ephemeral public key used in secret
* agreement, or a random number used in deriving a symmetric key.
*/
[flag(NDR_SECRET)] uint8 additional_info[additional_info_len];
nstring domain_name; /* DNS name of the domain which generated the key. */
nstring forest_name; /* DNS name of the forest which generated the key. */
} KeyEnvelope;
typedef [public] struct {
uint32 version; /* The version (msKds-Version) of the root key ADM element. */
[value(0x4b53444b), range(0x4b53444b, 0x4b53444b)] uint32 magic; /* ‘KDSK’ */
EnvelopeFlags flags;
uint32 l0_index;
[range(0, 31)] uint32 l1_index;
[range(0, 31)] uint32 l2_index;
GUID root_key_id;
[value(2 * ndr_charset_length(kdf_algorithm, CH_UTF16))] uint32 kdf_algorithm_len;
uint32 kdf_parameters_len;
[value(2 * ndr_charset_length(secret_agreement_algorithm, CH_UTF16))] uint32 secret_agreement_algorithm_len;
uint32 secret_agreement_parameters_len;
uint32 private_key_len;
uint32 public_key_len;
uint32 l1_key_len;
uint32 l2_key_len;
[value(2 * ndr_charset_length(domain_name, CH_UTF16))] uint32 domain_name_len;
[value(2 * ndr_charset_length(forest_name, CH_UTF16))] uint32 forest_name_len;
nstring kdf_algorithm;
uint8 kdf_parameters[kdf_parameters_len];
nstring secret_agreement_algorithm;
uint8 secret_agreement_parameters[secret_agreement_parameters_len];
nstring domain_name; /* DNS name of the domain which generated the key. */
nstring forest_name; /* DNS name of the forest which generated the key. */
[flag(NDR_SECRET)] uint8 l1_key[l1_key_len];
[flag(NDR_SECRET)] uint8 l2_key[l2_key_len];
} GroupKeyEnvelope;
typedef [public] struct {
[value(0)] uint32 padding_0;
[value(1)] uint32 padding_1;
[value(2 * ndr_charset_length(hash_algorithm, CH_UTF16))] uint32 hash_algorithm_len;
[value(0)] uint32 padding_2;
nstring hash_algorithm;
} KdfParameters;
typedef [public] struct {
/*
* Twelve bytes account for the length, magic number, and key
* length; the remaining bytes cover the two arrays of
* ‘key_length’ bytes each.
*/
[value(12 + 2 * key_length)] uint32 length;
[value(0x4d504844), range(0x4d504844, 0x4d504844)] uint32 magic; /* ‘DHPM’ */
uint32 key_length;
uint8 field_order[key_length];
uint8 generator[key_length];
} FfcDhParameters;
typedef [public] struct {
GUID guid;
int32 l0_idx;
int32 l1_idx;
int32 l2_idx;
[flag(NDR_REMAINING)] DATA_BLOB target_security_descriptor;
} GkdiDerivationCtx;
HRESULT gkdi_GetKey(
[in] uint32 target_sd_len,
[in] [size_is(target_sd_len)] [ref] char *target_sd,
[in] [unique] GUID* root_key_id,
[in] int32 l0_key_id,
[in] int32 l1_key_id,
[in] int32 l2_key_id,
[out] uint32 *out_len,
[out] [size_is(,*out_len)] uint8** out
);
}
|