/// <summary>
/// Creates a Passport key on the machine using the account id passed.
/// Then returns a boolean based on whether we were able to create a Passport key or not.
///
/// Will also attempt to create an attestation that this key is backed by hardware on the device, but is not a requirement
/// for a working key in this scenario. It is possible to not accept a key that is software-based only.
/// </summary>
/// <param name="accountId">The account id associated with the account that we are enrolling into Passport</param>
/// <returns>Boolean representing if creating the Passport key succeeded</returns>
public async Task <bool> CreatePassportKey(string accountId)
{
KeyCredentialRetrievalResult keyCreationResult = await KeyCredentialManager.RequestCreateAsync(accountId, KeyCredentialCreationOption.ReplaceExisting);
if (keyCreationResult.Status == KeyCredentialStatus.Success)
{
KeyCredential userKey = keyCreationResult.Credential;
IBuffer publicKey = userKey.RetrievePublicKey();
KeyCredentialAttestationResult keyAttestationResult = await userKey.GetAttestationAsync();
if (keyAttestationResult.Status == KeyCredentialAttestationStatus.Success)
{
//keyAttestation Included.
//TODO:read keyAttestationResult.AttestationBuffer and keyAttestationResult.CertificateChainBuffer
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.TemporaryFailure)
{
//keyAttestation CanBeRetrievedLater
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.NotSupported)
{
//keyAttestation is not supported
}
// Package public key, keyAttesation if available,
// certificate chain for attestation endorsement key if available,
// status code of key attestation result: keyAttestationIncluded or
// keyAttestationCanBeRetrievedLater and keyAttestationRetryType
// and send it to application server to register the user.
bool serverAddedPassportToAccount = await AddPassportToAccountOnServer();
if (serverAddedPassportToAccount == true)
{
return(true);
}
}
else if (keyCreationResult.Status == KeyCredentialStatus.UserCanceled)
{
// User cancelled the Passport enrollment process
}
else if (keyCreationResult.Status == KeyCredentialStatus.NotFound)
{
// User needs to create PIN
return(false);
}
return(false);
}
public void PassportUpdateDetails(Guid userId, Guid deviceId, byte[] publicKey,
KeyCredentialAttestationResult keyAttestationResult)
{
UserAccount existingUserAccount = GetUserAccount(userId);
if (existingUserAccount != null)
{
if (!existingUserAccount.PassportDevices.Any(f => f.DeviceId.Equals(deviceId)))
{
existingUserAccount.PassportDevices.Add(new PassportDevice()
{
DeviceId = deviceId,
PublicKey = publicKey,
// KeyAttestationResult = keyAttestationResult,
});
}
}
SaveAccountListAsync();
}
private static async Task GetKeyAttestationAsync(Guid userId, KeyCredentialRetrievalResult keyCreationResult)
{
KeyCredential userKey = keyCreationResult.Credential;
IBuffer publicKey = userKey.RetrievePublicKey();
KeyCredentialAttestationResult keyAttestationResult = await userKey.GetAttestationAsync();
IBuffer keyAttestation = null;
IBuffer certificateChain = null;
bool keyAttestationIncluded = false;
bool keyAttestationCanBeRetrievedLater = false;
KeyCredentialAttestationStatus keyAttestationRetryType = 0;
if (keyAttestationResult.Status == KeyCredentialAttestationStatus.Success)
{
keyAttestationIncluded = true;
keyAttestation = keyAttestationResult.AttestationBuffer;
certificateChain = keyAttestationResult.CertificateChainBuffer;
Debug.WriteLine("Successfully made key and attestation");
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.TemporaryFailure)
{
keyAttestationRetryType = KeyCredentialAttestationStatus.TemporaryFailure;
keyAttestationCanBeRetrievedLater = true;
Debug.WriteLine("Successfully made key but not attestation");
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.NotSupported)
{
keyAttestationRetryType = KeyCredentialAttestationStatus.NotSupported;
keyAttestationCanBeRetrievedLater = false;
Debug.WriteLine("Key created, but key attestation not supported");
}
Guid deviceId = Helpers.GetDeviceId();
//Update the Pasport details with the information we have just gotten above.
UpdatePassportDetails(userId, deviceId, publicKey.ToArray(), keyAttestationResult);
}
public void PassportUpdateDetails(Guid userId, Guid deviceId, byte[] publicKey,
KeyCredentialAttestationResult keyAttestationResult)
{
_mockStore.PassportUpdateDetails(userId, deviceId, publicKey, keyAttestationResult);
}
private async Task <bool> CreatePassportKey(string accountId)
{
KeyCredentialRetrievalResult keyCreationResult = await KeyCredentialManager.RequestCreateAsync(accountId, KeyCredentialCreationOption.ReplaceExisting);
if (keyCreationResult.Status == KeyCredentialStatus.Success)
{
KeyCredential userKey = keyCreationResult.Credential;
IBuffer publicKey = userKey.RetrievePublicKey();
KeyCredentialAttestationResult keyAttestationResult = await userKey.GetAttestationAsync();
IBuffer keyAttestation = null;
IBuffer certificateChain = null;
bool keyAttestationIncluded = false;
bool keyAttestationCanBeRetrievedLater = false;
KeyCredentialAttestationStatus keyAttestationRetryType = 0;
if (keyAttestationResult.Status == KeyCredentialAttestationStatus.Success)
{
keyAttestationIncluded = true;
keyAttestation = keyAttestationResult.AttestationBuffer;
certificateChain = keyAttestationResult.CertificateChainBuffer;
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.TemporaryFailure)
{
keyAttestationRetryType = KeyCredentialAttestationStatus.TemporaryFailure;
keyAttestationCanBeRetrievedLater = true;
}
else if (keyAttestationResult.Status == KeyCredentialAttestationStatus.NotSupported)
{
keyAttestationRetryType = KeyCredentialAttestationStatus.NotSupported;
keyAttestationCanBeRetrievedLater = false;
}
// Package public key, keyAttesation if available,
// certificate chain for attestation endorsement key if available,
// status code of key attestation result: keyAttestationIncluded or
// keyAttestationCanBeRetrievedLater and keyAttestationRetryType
// and send it to application server to register the user.
bool serverAddedPassportToAccount = await AddPassportToAccountOnServer();
if (serverAddedPassportToAccount == true)
{
return(true);
}
}
else if (keyCreationResult.Status == KeyCredentialStatus.UserCanceled)
{
// User cancelled the Passport enrollment process
}
else if (keyCreationResult.Status == KeyCredentialStatus.NotFound)
{
// User needs to create PIN
//textblock_PassportStatusText.Text = "Microsoft Passport is almost ready!\nPlease go to Windows Settings and set up a PIN to use it.";
//grid_PassportStatus.Background = new SolidColorBrush(Color.FromArgb(255, 50, 170, 207));
//button_PassportSignIn.IsEnabled = false;
m_passportAvailable = false;
}
else
{
}
return(false);
}
public static bool UpdatePassportDetails(Guid userId, Guid deviceId, byte[] publicKey, KeyCredentialAttestationResult keyAttestationResult)
{
//In the real world you would use an API to add Passport signing info to server for the signed in _account.
//For this tutorial we do not implement a WebAPI for our server and simply mock the server locally
//The CreatePassportKey method handles adding the Windows Hello account locally to the device using the KeyCredential Manager
//Using the userId the existing account should be found and updated.
AuthService.AuthService.Instance.PassportUpdateDetails(userId, deviceId, publicKey, keyAttestationResult);
return(true);
}
public void UpdateDetails(Guid userId, Guid DeviceId, byte[] publicKey, KeyCredentialAttestationResult keyAttestationResult)
{
_mockstore.deviceupdateDetails(userId, DeviceId, publicKey, keyAttestationResult);
}
