4.1.31.2 Server Behavior of the IDL_DRSReadNgcKey Method

  • Article

Informative summary of behavior: The IDL_DRSReadNgcKey method reads the msDS-KeyCredentialLink attribute values of an object, attempts to parses the msDS-KeyCredentialLink attribute on the object and returns the KeyMaterial field ([MS-ADTS] section 2.2.20.6) from the first entry that is successfully parsed. The order in which the values are parsed is implementation specific. Note that the following pseudocode uses the KEYCREDENTIALLINK_BLOB and KEYCREDENTIALLINK_ENTRY structures and related constants ([MS-ADTS] section 2.2.20).

 ULONG IDL_DRSReadNgcKey(
   [in, ref] DRS_HANDLE hDrs,
   [in] DWORD dwInVersion,
   [in, ref, switch_is(dwInVersion)] 
     DRS_MSG_READNGCKEYREQ* pmsgIn,
   [out, ref] DWORD* pdwOutVersion,
   [out, ref, switch_is(*pdwOutVersion)] 
     DRS_MSG_READNGCKEYREPLY* pmsgOut);
  
 accountDN: unicodestring
 account: DSName
 keyValue : array of UCHAR
 err: DWORD
 key: DNBinary
 keyBinary: array of BYTE
 keyBlob: KEYCREDENTIALLINK_BLOB
 keyEntry: KEYCREDENTIALLINK_ENTRY
 offset: DWORD
  
 ValidateDRSInput(hDrs, 30)
  
 pdwOutVersion^ := 1
 pmsgOut^.V1.retVal := 0
  
 /* Input parameter validation */
 if dwInVersion ≠ 1 then
   pmsgOut^.V1.retVal := ERROR_INVALID_PARAMETER
   return ERROR_INVALID_PARAMETER
 endif
  
 /* Input parameter validation */
 if ClientUUID(hDrs) ≠ NTDSAPI_CLIENT_GUID
   pmsgOut^.V1.retVal := ERROR_INVALID_PARAMETER
   return ERROR_INVALID_PARAMETER
 endif
  
 accountDN := pmsgIn^.V1.pwszAccount
  
 if accountDN = null or accountDN = "" then
   pmsgOut^.V1.retVal := ERROR_INVALID_PARAMETER
   return ERROR_INVALID_PARAMETER
 endif
  
 account := GetDSNameFromDN(accountDN);
 if not ObjExists(account) then
   pmsgOut^.V1.retVal := ERROR_DS_OBJ_NOT_FOUND
   return ERROR_DS_OBJ_NOT_FOUND
 endif
  
 /* Perform access checks */
 if (!AccessCheckAttr(account,
                    msDS-KeyCredentialLink, 
                    RIGHT_DS_READ_PROPERTY)) then
    return ERROR_DS_INSUFF_ACCESS_RIGHTS
 endif
 keyValue := NULL
  
 foreach (key in obj!msDS-KeyCredentialLink)
     keyBinary := key!Binary
     offset := 0
     keyBlob := keyBinary
     offset := offset + sizeof(keyBlob)
     
     if (keyBlob!Version != KEY_CREDENTIAL_LINK_VERSION_2)
         continue
     endif
  
     while (offset < length(keyBinary)) 
         keyEntry := keyBinary[offset]
         offset := 
             offset + 
             sizeof(keyEntry!Length) + 
             sizeof(keyEntry!Identifier) + 
             keyEntry!Length
         
         if (keyEntry!Identifer = KeyMaterial) 
             keyValue := keyEntry!Value
           break
         endif
     endwhile
     if (keyValue != NULL) 
         break
     endif 
 endfor
  
 if (keyValue == NULL) 
     return ERROR_DS_OBJ_NOT_FOUND
 endif
  
 pmsgOut^.V1.pNgcKey := keyValue
 pmsgOut^.V1.cNgcKey := length(keyValue)
 return 0