public ActionResult Index()
{
// The PKCertificateAuthentication class requires an implementation of INonceStore. We'll use the
// FileSystemNonceStore class.
var nonceStore = Util.GetNonceStore();
// Instantiate the PKCertificateAuthentication class passing our EntityFrameworkNonceStore.
var certAuth = new PKCertificateAuthentication(nonceStore);
// Call the Start() method, which is the first of the two server-side steps. This yields the nonce,
// a 16-byte-array which we'll send to the view.
var nonce = certAuth.Start();
// Notice that this previous will be executed even if an error has occured and it was redirected to
// this action.
var model = new AuthenticationModel()
{
Nonce = nonce,
DigestAlgorithm = PKCertificateAuthentication.DigestAlgorithm.Oid
};
// If this action is called because occurred an error. This error's message will be shown.
var vr = TempData["ValidationResults"] as ValidationResults;
if (vr != null && !vr.IsValid)
{
ModelState.AddModelError("", vr.ToString());
}
return(View(model));
}
private void startNewAuth()
{
var nonceStore = Util.GetNonceStore();
var certAuth = new PKCertificateAuthentication(nonceStore);
var nonce = certAuth.Start();
NonceField.Value = Convert.ToBase64String(nonce);
DigestAlgorithmField.Value = PKCertificateAuthentication.DigestAlgorithm.Oid;
}
public IHttpActionResult Get()
{
// The PKCertificateAuthentication class requires an implementation of INonceStore.
// We'll use the FileSystemNonceStore class.
var nonceStore = Util.GetNonceStore();
// Instantiate the PKCertificateAuthentication class passing our EntityFrameworkNonceStore
var certAuth = new PKCertificateAuthentication(nonceStore);
// Call the Start() method, which is the first of the two server-side steps. This yields the nonce,
// a 16-byte-array which we'll send to the view.
var nonce = certAuth.Start();
return(Ok(nonce));
}
protected void SubmitButton_Click(object sender, EventArgs e)
{
var nonceStore = Util.GetNonceStore();
var certAuth = new PKCertificateAuthentication(nonceStore);
PKCertificate certificate;
var vr = certAuth.Complete(Convert.FromBase64String(NonceField.Value), Convert.FromBase64String(CertificateField.Value), Convert.FromBase64String(SignatureField.Value), Util.GetTrustArbitrator(), out certificate);
if (!vr.IsValid)
{
vr.Errors.ForEach(ve => ModelState.AddModelError("", ve.ToString()));
startNewAuth();
return;
}
this.AuthenticatedCertificate = certificate;
this.ValidationResults = vr;
Server.Transfer("AuthenticationSuccess.aspx");
}
public ActionResult Index(AuthenticationModel model)
{
// As before, we instantiate a FileSystemNonceStore class and use that to
// instantiate a PKCertificateAuthentication
var nonceStore = Util.GetNonceStore();
var certAuth = new PKCertificateAuthentication(nonceStore);
// Call the Complete() method, which is the last of the two server-side steps. It receives:
// - The nonce which was signed using the user's certificate
// - The user's certificate encoding
// - The nonce signature
// - A TrustArbitrator to be used to determine trust in the certificate (for more information see http://pki.lacunasoftware.com/Help/html/e7724d78-9835-4f06-b58c-939b721f6e7b.htm)
// The call yields:
// - A ValidationResults which denotes whether the authentication was successful or not
// - The user's decoded certificate
PKCertificate certificate;
var vr = certAuth.Complete(model.Nonce, model.Certificate, model.Signature, Util.GetTrustArbitrator(), out certificate);
// NOTE: By changing the TrustArbitrator above, you can accept only certificates from a certain PKI,
// for instance, ICP-Brasil (TrustArbitrators.PkiBrazil). For more information, see
// http://pki.lacunasoftware.com/Help/html/e7724d78-9835-4f06-b58c-939b721f6e7b.htm
//
// The value above (TrustArbitrators.Windows) specifies that the root certification authorities in the
// Windows certificate store are to be used as trust arbitrators.
// Check the authentication result
if (!vr.IsValid)
{
// The authentication failed, redirect and inform in index view.
TempData["ValidationResults"] = vr;
return(RedirectToAction("Index"));
}
// We redirect to AuthenticationInfo action, that renders the certificate infomations
// in its viwe
return(View("AuthenticationInfo", new AuthenticationInfoModel()
{
UserCert = PKCertificate.Decode(model.Certificate)
}));
}
public ActionResult Index(AuthenticationModel model)
{
// As before, we instantiate a FileSystemNonceStore class and use that to instantiate a
// PKCertificateAuthentication.
var nonceStore = Util.GetNonceStore();
var certAuth = new PKCertificateAuthentication(nonceStore);
// Call the Complete() method, which is the last of the two server-side steps. It receives:
// - The nonce which was signed using the user's certificate.
// - The user's certificate encoding.
// - The nonce signature.
// - A TrustArbitrator to be used to determine trust in the certificate.
// The call yields:
// - A ValidationResults which denotes whether the authentication was successful or not.
// - The user's decoded certificate.
PKCertificate certificate;
var vr = certAuth.Complete(model.Nonce, model.Certificate, model.Signature, Util.GetTrustArbitrator(), out certificate);
// Check the authentication result
if (!vr.IsValid)
{
// The authentication failed, redirect and inform in index view.
TempData["ValidationResults"] = vr;
return(RedirectToAction("Index"));
}
// At this point, you have assurance that the certificate is valid according to the
// TrustArbitrator you selected when starting the authentication and that the user is indeed the
// certificate's subject. Now, you'd typically query your database for a user that matches one of
// the certificate's fields, such as userCert.EmailAddress or userCert.PkiBrazil.CPF (the actual
// field to be used as key depends on your application's business logic) and set the user ID on
// the auth cookie. For demonstration purposes, we'll set the email address directly on the
// cookie as if it were the user ID.
return(View("Success", new AuthenticationInfoModel()
{
UserCert = PKCertificate.Decode(model.Certificate)
}));
}
public IHttpActionResult Post(AuthenticationPostRequest request)
{
// As before, we instantiate a FileSystemNonceStore class and use that to
// instantiate a PKCertificateAuthentication
var nonceStore = Util.GetNonceStore();
var certAuth = new PKCertificateAuthentication(nonceStore);
// Call the Complete() method, which is the last of the two server-side steps. It receives:
// - The nonce which was signed using the user's certificate
// - The user's certificate encoding
// - The nonce signature
// - A TrustArbitrator to be used to determine trust in the certificate (for more information see http://pki.lacunasoftware.com/Help/html/e7724d78-9835-4f06-b58c-939b721f6e7b.htm)
// The call yields:
// - A ValidationResults which denotes whether the authentication was successful or not
// - The user's decoded certificate
PKCertificate certificate;
var vr = certAuth.Complete(request.Nonce, request.Certificate, request.Signature, Util.GetTrustArbitrator(), out certificate);
// NOTE: By changing the TrustArbitrator above, you can accept only certificates from a certain PKI,
// for instance, ICP-Brasil (TrustArbitrators.PkiBrazil). For more information, see
// http://pki.lacunasoftware.com/Help/html/e7724d78-9835-4f06-b58c-939b721f6e7b.htm
//
// The value above (TrustArbitrators.Windows) specifies that the root certification authorities in the
// Windows certificate store are to be used as trust arbitrators.
// Check the authentication result
if (!vr.IsValid)
{
return(new ResponseMessageResult(Request.CreateResponse(HttpStatusCode.BadRequest, new ValidationErrorModel(vr))));
}
var response = new AuthenticationPostResponse()
{
Certificate = new CertificateModel(certificate)
};
return(Ok(response));
}
