/// <summary>
/// Recovers an eIDAS-verified member with eidas payload.
///
/// </summary>
/// <param name="payload">a payload containing member id, the certificate and a new key to add to the member</param>
/// <param name="signature">a payload signature with the private key corresponding to the certificate</param>
/// <param name="cryptoEngine">a crypto engine that must contain the privileged key that is included in
/// the payload(if it does not contain keys for other levels they will be generated)</param>
/// <returns>a task of a new member</returns>
public Task <ProtoMember> RecoverEidasMember(
EidasRecoveryPayload payload,
string signature,
ICryptoEngine cryptoEngine)
{
Key privilegedKey = payload.Key;
Key standardKey = GetOrGenerateKeyForLevel(cryptoEngine,
Level.Standard);
Key lowKey = GetOrGenerateKeyForLevel(cryptoEngine,
Level.Low);
IList <Key> keys = new List <Key> {
privilegedKey, standardKey, lowKey
};
ISigner signer = cryptoEngine.CreateSigner(privilegedKey.Id);
string memberId = payload.MemberId;
var request = new RecoverEidasRequest
{
Payload = payload,
Signature = signature
};
var memberRequest = new GetMemberRequest {
MemberId = memberId
};
return(Util.TwoTasks(
gateway.GetMemberAsync(memberRequest)
.ToTask(response => response.Member),
gateway.RecoverEidasMemberAsync(request)
.ToTask(response => response.RecoveryEntry))
.Map(memberAndEntry =>
{
IList <MemberOperation> operations = new List <MemberOperation>();
operations.Add(new MemberOperation {
Recover = memberAndEntry.Value
});
var list = keys
.Select(key => new MemberOperation
{
AddKey = new MemberAddKeyOperation
{
Key = key
}
})
.ToList();
foreach (var operation in list)
{
operations.Add(operation);
}
return Util.ToUpdateMemberRequest(memberAndEntry.Key,
operations,
signer);
})
.FlatMap(updateMember => gateway
.UpdateMemberAsync(updateMember)
.ToTask(response => response.Member)));
}
/// <summary>
/// Recovers a TPP member and verifies its EIDAS alias using eIDAS certificate.
///
/// </summary>
/// <param name="client">token client</param>
/// <param name="memberId">id of the member to be recovered</param>
/// <param name="tppAuthNumber">authNumber of the TPP</param>
/// <param name="certificate">base64 encoded eIDAS certificate</param>
/// <param name="certificatePrivateKey">private key corresponding to the public key in the certificate</param>
/// <returns>verified business member</returns>
public static Member RecoverEidas(
Tokenio.Tpp.TokenClient client,
string memberId,
string tppAuthNumber,
string certificate,
byte[] certificatePrivateKey)
{
// create a signer using the certificate private key
Algorithm signingAlgorithm = Algorithm.Rs256;
ISigner payloadSigner = new Rs256Signer("eidas", certificatePrivateKey);
// generate a new privileged key to add to the member
ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
Key newKey = cryptoEngine.GenerateKey(Level.Privileged);
// construct a payload with all the required data
EidasRecoveryPayload payload = new EidasRecoveryPayload
{
MemberId = memberId,
Certificate = certificate,
Algorithm = signingAlgorithm,
Key = newKey
};
Tokenio.Tpp.Member recoveredMember = client
.RecoverEidasMember(payload, payloadSigner.Sign(payload), cryptoEngine)
.Result;
// the eidas alias becomes unverified after the recovery, so we need to verify it again
Alias eidasAlias = new Alias
{
Value = tppAuthNumber.Trim(),
RealmId = recoveredMember.RealmId(),
Type = Alias.Types.Type.Eidas
};
VerifyEidasPayload verifyPayload = new VerifyEidasPayload
{
MemberId = memberId,
Alias = eidasAlias,
Certificate = certificate,
Algorithm = signingAlgorithm
};
VerifyEidasResponse response = recoveredMember
.VerifyEidas(verifyPayload, payloadSigner.Sign(verifyPayload))
.Result;
return(recoveredMember);
}
/// <summary>
/// Recovers an eIDAS-verified member with eIDAS payload.
///
/// </summary>
/// <param name="payload">a payload containing member id, the certificate and a new key to add to the member</param>
/// <param name="signature">a payload signature with the private key corresponding to the certificate</param>
/// <param name="cryptoEngine">a crypto engine that must contain the privileged key that is included in
/// the payload(if it does not contain keys for other levels they will be generated)</param>
/// <returns>a Task of a new member</returns>
public Task <Member> RecoverEidasMember(
EidasRecoveryPayload payload,
string signature,
ICryptoEngine cryptoEngine)
{
var unauthenticated = ClientFactory.Unauthenticated(channel);
return(unauthenticated.RecoverEidasMember(payload,
signature,
cryptoEngine)
.Map(member =>
{
var client = ClientFactory.Authenticated(channel,
member.Id,
cryptoEngine);
return new Member(
member.Id,
client,
tokenCluster,
member.PartnerId,
member.RealmId);
}));
}
