return root_key_object, root_key_id
def validate_get_key_request(
- self, gkid: Gkid, current_gkid: Gkid, root_key_specified: bool
+ self, gkid: Gkid, current_time: NtTime, root_key_specified: bool
) -> None:
+ # The key being requested must not be from the future. That said, we
+ # allow for a little bit of clock skew so that we can compute the next
+ # managed password prior to the expiration of the current one.
+ current_gkid = Gkid.from_nt_time(NtTime(current_time + MAX_CLOCK_SKEW))
if gkid > current_gkid:
raise GetKeyError(
HRES_E_INVALIDARG,
gkid: Gkid,
*,
root_key_id_hint: Optional[misc.GUID] = None,
- current_gkid: Optional[Gkid] = None,
+ current_time: Optional[NtTime] = None,
) -> SeedKeyPair:
"""Emulate the ISDKey.GetKey() RPC method.
Windows, pass a GUID in the *root_key_id_hint* parameter to specify a
particular root key to use."""
- if current_gkid is None:
- current_gkid = self.current_gkid(samdb)
+ if current_time is None:
+ current_time = self.current_nt_time(samdb)
root_key_specified = root_key_id is not None
if root_key_specified:
root_key_id_hint, "don’t provide both root key ID parameters"
)
- self.validate_get_key_request(gkid, current_gkid, root_key_specified)
+ self.validate_get_key_request(gkid, current_time, root_key_specified)
root_key_object, root_key_id = self.get_root_key_object(
samdb, root_key_id if root_key_specified else root_key_id_hint, gkid
)
if root_key_specified:
+ current_gkid = Gkid.from_nt_time(current_time)
if gkid.l0_idx < current_gkid.l0_idx:
# All of the seed keys with an L0 index less than the current L0
# index are from the past and thus are safe to return. If the
target_sd: bytes, # An NDR‐encoded valid security descriptor in self‐relative format.
root_key_id: Optional[misc.GUID],
gkid: Gkid,
- current_gkid: Optional[Gkid] = None,
+ current_time: Optional[NtTime] = None,
) -> GroupKey:
- if current_gkid is None:
- current_gkid = self.current_gkid(samdb)
+ if current_time is None:
+ current_time = self.current_nt_time(samdb)
root_key_specified = root_key_id is not None
- self.validate_get_key_request(gkid, current_gkid, root_key_specified)
+ self.validate_get_key_request(gkid, current_time, root_key_specified)
root_key_object, root_key_id = self.get_root_key_object(
samdb, root_key_id, gkid
self.gmsa_sd,
root_key_id,
Gkid(255, 2, 5),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get an L1 seed key.
self.gmsa_sd,
root_key_id,
Gkid(321, 0, 1),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get an L2 seed key.
self.gmsa_sd,
root_key_id,
Gkid(123, 2, 1),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get both L1 and L2 seed keys.
self.gmsa_sd,
root_key_id,
Gkid(100, 20, 30),
- current_gkid=Gkid(101, 2, 3),
+ current_time=Gkid(101, 2, 3).start_nt_time(),
)
# Expect to get an L1 seed key.
self.gmsa_sd,
root_key_id,
Gkid(1, 1, 1),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get both L1 and L2 seed keys.
self.gmsa_sd,
root_key_id,
Gkid(222, 11, 0),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get both L1 and L2 seed keys.
self.gmsa_sd,
root_key_id,
Gkid(287, 8, 7),
- current_gkid=current_gkid,
+ current_time=current_gkid.start_nt_time(),
)
# Expect to get both L1 and L2 seed keys.
self.gmsa_sd,
root_key_id,
gkid,
- current_gkid=self.current_gkid(self.get_samdb()),
+ current_time=self.current_nt_time(self.get_samdb()),
)
self.assertEqual(gkid, key.gkid)