/// <summary>
/// Recovers a TPP member and verifies its EIDAS alias using eIDAS certificate.
///
/// </summary>
/// <param name="client">token client</param>
/// <param name="memberId">id of the member to be recovered</param>
/// <param name="tppAuthNumber">authNumber of the TPP</param>
/// <param name="certificate">base64 encoded eIDAS certificate</param>
/// <param name="certificatePrivateKey">private key corresponding to the public key in the certificate</param>
/// <returns>verified business member</returns>
public static Member RecoverEidas(
Tokenio.Tpp.TokenClient client,
string memberId,
string tppAuthNumber,
string certificate,
byte[] certificatePrivateKey)
{
// create a signer using the certificate private key
Algorithm signingAlgorithm = Algorithm.Rs256;
ISigner payloadSigner = new Rs256Signer("eidas", certificatePrivateKey);
// generate a new privileged key to add to the member
ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
Key newKey = cryptoEngine.GenerateKey(Level.Privileged);
// construct a payload with all the required data
EidasRecoveryPayload payload = new EidasRecoveryPayload
{
MemberId = memberId,
Certificate = certificate,
Algorithm = signingAlgorithm,
Key = newKey
};
Tokenio.Tpp.Member recoveredMember = client
.RecoverEidasMember(payload, payloadSigner.Sign(payload), cryptoEngine)
.Result;
// the eidas alias becomes unverified after the recovery, so we need to verify it again
Alias eidasAlias = new Alias
{
Value = tppAuthNumber.Trim(),
RealmId = recoveredMember.RealmId(),
Type = Alias.Types.Type.Eidas
};
VerifyEidasPayload verifyPayload = new VerifyEidasPayload
{
MemberId = memberId,
Alias = eidasAlias,
Certificate = certificate,
Algorithm = signingAlgorithm
};
VerifyEidasResponse response = recoveredMember
.VerifyEidas(verifyPayload, payloadSigner.Sign(verifyPayload))
.Result;
return(recoveredMember);
}