/// <summary> /// Illustrate recovery using a not-normal-"consumer mode" recovery agent. /// </summary> /// <param name="tokenClient">SDK client</param> /// <param name="alias">Alias of member to recover</param> /// <returns>the recovered member</returns> public Tokenio.Member RecoverWithComplexRule( TokenClient tokenClient, Alias alias) { var memberId = tokenClient.GetMemberId(alias).Result; var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); var newKey = cryptoEngine.GenerateKey(Privileged); var verificationId = tokenClient.BeginRecovery(alias).Result; var authorization = tokenClient.CreateRecoveryAuthorization(memberId, newKey).Result; var agentSignature = GetRecoveryAgentSignature(authorization); var mro = new MemberRecoveryOperation { AgentSignature = agentSignature, Authorization = authorization }; var recoveredMember = tokenClient.CompleteRecovery( memberId, new List <MemberRecoveryOperation> { mro }, newKey, cryptoEngine).Result; recoveredMember.VerifyAlias(verificationId, "1thru6").Wait(); return(recoveredMember); }
public void keys() { IKeyStore keyStore = new InMemoryKeyStore(); ICryptoEngine crypto = new TokenCryptoEngine("member-id", keyStore); MemberMethodsSample.keys(crypto, member); }
public void KeysTest() { using (Tokenio.Tpp.TokenClient tokenClient = TestUtil.CreateClient()) { IKeyStore keyStore = new InMemoryKeyStore(); ICryptoEngine cryptoEngine = new TokenCryptoEngine("member-id", keyStore); TppMember member = tokenClient.CreateMemberBlocking(TestUtil.RandomAlias()); MemberMethodsSample.Keys(cryptoEngine, member); } }
/// <summary> /// Recovers a TPP member and verifies its EIDAS alias using eIDAS certificate. /// /// </summary> /// <param name="client">token client</param> /// <param name="memberId">id of the member to be recovered</param> /// <param name="tppAuthNumber">authNumber of the TPP</param> /// <param name="certificate">base64 encoded eIDAS certificate</param> /// <param name="certificatePrivateKey">private key corresponding to the public key in the certificate</param> /// <returns>verified business member</returns> public static Member RecoverEidas( Tokenio.Tpp.TokenClient client, string memberId, string tppAuthNumber, string certificate, byte[] certificatePrivateKey) { // create a signer using the certificate private key Algorithm signingAlgorithm = Algorithm.Rs256; ISigner payloadSigner = new Rs256Signer("eidas", certificatePrivateKey); // generate a new privileged key to add to the member ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); Key newKey = cryptoEngine.GenerateKey(Level.Privileged); // construct a payload with all the required data EidasRecoveryPayload payload = new EidasRecoveryPayload { MemberId = memberId, Certificate = certificate, Algorithm = signingAlgorithm, Key = newKey }; Tokenio.Tpp.Member recoveredMember = client .RecoverEidasMember(payload, payloadSigner.Sign(payload), cryptoEngine) .Result; // the eidas alias becomes unverified after the recovery, so we need to verify it again Alias eidasAlias = new Alias { Value = tppAuthNumber.Trim(), RealmId = recoveredMember.RealmId(), Type = Alias.Types.Type.Eidas }; VerifyEidasPayload verifyPayload = new VerifyEidasPayload { MemberId = memberId, Alias = eidasAlias, Certificate = certificate, Algorithm = signingAlgorithm }; VerifyEidasResponse response = recoveredMember .VerifyEidas(verifyPayload, payloadSigner.Sign(verifyPayload)) .Result; return(recoveredMember); }
/// <summary> /// Completes account recovery if the default recovery rule was set. /// </summary> /// <param name="memberId">the member id</param> /// <param name="verificationId">the verification id</param> /// <param name="code">the code</param> /// <returns>the new member</returns> public Task <Member> CompleteRecoveryWithDefaultRule( string memberId, string verificationId, string code) { var unauthenticated = ClientFactory.Unauthenticated(channel); var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); return(unauthenticated .CompleteRecoveryWithDefaultRule(memberId, verificationId, code, cryptoEngine) .Map(member => { var client = ClientFactory.Authenticated(channel, member.Id, cryptoEngine); return new Member(client); })); }
public void Recovery_withSecondaryAgent() { var alias = Alias(); var member = tokenClient.CreateMemberBlocking(alias); var memberId = member.MemberId(); var primaryAgentId = member.GetDefaultAgentBlocking(); var secondaryAgent = tokenClient.CreateMemberBlocking(Alias()); var unusedSecondaryAgent = tokenClient.CreateMemberBlocking(Alias()); member.AddRecoveryRuleBlocking(new RecoveryRule { PrimaryAgent = primaryAgentId, SecondaryAgents = { secondaryAgent.MemberId(), unusedSecondaryAgent.MemberId() } }); var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); var key = cryptoEngine.GenerateKey(Privileged); var verificationId = tokenClient.BeginRecoveryBlocking(alias); var authorization = new Authorization { MemberId = memberId, MemberKey = key, PrevHash = member.GetLastHashBlocking() }; var signature = secondaryAgent.AuthorizeRecoveryBlocking(authorization); var op1 = tokenClient.GetRecoveryAuthorizationBlocking(verificationId, "code", key); var op2 = new MemberRecoveryOperation { Authorization = authorization, AgentSignature = signature }; var recovered = tokenClient.CompleteRecoveryBlocking( memberId, new[] { op1, op2 }, key, cryptoEngine); Assert.Equal(member.MemberId(), recovered.MemberId()); Assert.Equal(3, recovered.GetKeysBlocking().Count); Assert.Empty(recovered.GetAliasesBlocking()); Assert.False(tokenClient.AliasExistsBlocking(alias)); recovered.VerifyAliasBlocking(verificationId, "code"); Assert.True(tokenClient.AliasExistsBlocking(alias)); CollectionAssert.Equivalent(new[] { alias.ToNormalized() }, recovered.GetAliasesBlocking()); }
/// <summary> /// Illustrate recovery using a not-normal-"consumer mode" recovery agent. /// </summary> /// <param name="tokenClient">SDK client</param> /// <param name="alias">Alias of member to recover</param> /// <returns>recovered member</returns> public TppMember RecoverWithComplexRule( Tokenio.Tpp.TokenClient tokenClient, Alias alias) { // complexRecovery begin snippet to include in docs string memberId = tokenClient.GetMemberIdBlocking(alias); ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); Key newKey = cryptoEngine.GenerateKey(Key.Types.Level.Privileged); string verificationId = tokenClient.BeginRecoveryBlocking(alias); MemberRecoveryOperation.Types.Authorization authorization = tokenClient.CreateRecoveryAuthorizationBlocking( memberId, newKey); // ask recovery agent to verify that I really am this member Signature agentSignature = getRecoveryAgentSignature(authorization); // We have all the signed authorizations we need. // (In this example, "all" is just one.) MemberRecoveryOperation mro = new MemberRecoveryOperation { Authorization = authorization, AgentSignature = agentSignature }; TppMember recoveredMember = tokenClient.CompleteRecoveryBlocking( memberId, (new[] { mro }).ToList(), newKey, cryptoEngine); // after recovery, aliases aren't verified // In the real world, we'd prompt the user to enter the code emailed to them. // Since our test member uses an auto-verify email address, any string will work, // so we use "1thru6". recoveredMember.VerifyAliasBlocking(verificationId, "1thru6"); // complexRecovery done snippet to include in docs return(recoveredMember); }
/// <summary> /// Recover previously-created member, assuming they were /// configured with a "normal consumer" recovery rule. /// </summary> /// <param name="tokenClient">SDK client</param> /// <param name="alias">alias of member to recoverWithDefaultRule</param> /// <returns>recovered member</returns> public TppMember RecoverWithDefaultRule(Tokenio.Tpp.TokenClient tokenClient, Alias alias) { string verificationId = tokenClient.BeginRecoveryBlocking(alias); // recoverWithDefault begin snippet to include in docs string memberId = tokenClient.GetMemberIdBlocking(alias); ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); // In the real world, we'd prompt the user to enter the code emailed to them. // Since our test member uses an auto-verify email address, any string will work, // so we use "1thru6". TppMember recoveredMember = tokenClient.CompleteRecoveryWithDefaultRuleBlocking( memberId, verificationId, "1thru6", cryptoEngine); // We can use the same verification code to re-claim this alias. recoveredMember.VerifyAliasBlocking(verificationId, "1thru6"); // recoverWithDefault done snippet to include in docs return(recoveredMember); }