Improvements for AP-REP validation

Kerberos.NET/Client/ApplicationSessionContext.cs

@@ -15,6 +15,10 @@ public class ApplicationSessionContext
 
         public KrbEncryptionKey SessionKey { get; set; }
 
+        public KrbEncryptionKey ServiceTicketSessionKey { get; set; }
+
+        public KrbEncryptionKey ClientSubSessionKey { get; set; }
+
         public int? SequenceNumber { get; set; }
 
         public int CuSec { get; set; }
@@ -37,11 +41,39 @@ public KrbEncryptionKey AuthenticateServiceResponse(ReadOnlyMemory<byte> apRepBy
                 SequenceNumber = this.SequenceNumber
             };
 
-            decrypted.Decrypt(this.SessionKey.AsKey());
+            DecryptApRep(decrypted);
 
             decrypted.Validate(ValidationActions.TokenWindow);
 
             return decrypted.Response.SubSessionKey ?? this.SessionKey;
         }
+
+        private void DecryptApRep(DecryptedKrbApRep decrypted)
+        {
+            foreach (var key in new[]
+            {
+                this.SessionKey,
+                this.ServiceTicketSessionKey,
+                this.ClientSubSessionKey,
+            })
+            {
+                if (key == null)
+                {
+                    continue;
+                }
+
+                try
+                {
+                    decrypted.Decrypt(key.AsKey());
+                    return;
+                }
+                catch (Exception)
+                {
+                    // Not this key, continue to the next one
+                }
+            }
+
+            throw new InvalidOperationException("Failed to decrypt AP-REP with any of the provided keys.");
+        }
     }
 }

Kerberos.NET/Client/KerberosClient.cs

@@ -883,6 +883,8 @@ public async Task<ApplicationSessionContext> GetServiceTicket(
                         out KrbAuthenticator authenticator
                     ),
                     SessionKey = authenticator.Subkey ?? serviceTicketCacheEntry.SessionKey,
+                    ClientSubSessionKey = authenticator.Subkey,
+                    ServiceTicketSessionKey = serviceTicketCacheEntry.SessionKey,
                     CTime = authenticator.CTime,
                     CuSec = authenticator.CuSec,
                     SequenceNumber = authenticator.SequenceNumber

Kerberos.NET/Crypto/DecryptedKrbApRep.cs

@@ -61,14 +61,6 @@ public override void Validate(ValidationActions validation)
                     nameof(this.CuSec)
                 );
             }
-
-            if (this.SequenceNumber != this.Response.SequenceNumber)
-            {
-                throw new KerberosValidationException(
-                    $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
-                    nameof(this.SequenceNumber)
-                );
-            }
         }
     }
 }

Tests/Tests.Kerberos.NET/KrbApReq/ValidatorTests.cs

@@ -383,21 +383,5 @@ public void DecryptedKrbApRep_Validate_CuSec()
 
             decrypted.Validate(ValidationActions.All);
         }
-
-        [TestMethod]
-        [ExpectedException(typeof(KerberosValidationException))]
-        public void DecryptedKrbApRep_Validate_Sequence()
-        {
-            var now = DateTimeOffset.UtcNow;
-
-            var sessionKey = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96);
-
-            var decrypted = CreateResponseMessage(now, 111, 123, sessionKey.AsKey());
-
-            decrypted.CTime = now;
-            decrypted.CuSec = 111;
-
-            decrypted.Validate(ValidationActions.All);
-        }
     }
 }