tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()

This will allow building test_as_req_enc_timestamp()

It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065)

python/samba/tests/krb5/raw_testcase.py

@@ -784,6 +784,35 @@ class RawKerberosTest(TestCaseInTempDir):
         return self.PasswordKey_create(
             etype=e, pwd=password, salt=salt, kvno=kvno)
 
+    def TicketDecryptionKey_from_creds(self, creds, etype=None):
+
+        if etype is None:
+            etypes = creds.get_tgs_krb5_etypes()
+            etype = etypes[0]
+
+        forced_key = creds.get_forced_key(etype)
+        if forced_key is not None:
+            return forced_key
+
+        kvno = creds.get_kvno()
+
+        fail_msg = ("%s has no fixed key for etype[%s] kvno[%s] "
+                    "nor a password specified, " % (
+                        creds.get_username(), etype, kvno))
+
+        if etype == kcrypto.Enctype.RC4:
+            nthash = creds.get_nt_hash()
+            self.assertIsNotNone(nthash, msg=fail_msg)
+            return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno)
+
+        password = creds.get_password()
+        self.assertIsNotNone(password, msg=fail_msg)
+        salt = creds.get_forced_salt()
+        if salt is None:
+            salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()),
+                    encoding='utf-8')
+        return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno)
+
     def RandomKey(self, etype):
         e = kcrypto._get_enctype_profile(etype)
         contents = samba.generate_random_bytes(e.keysize)