private void EnrollWorkerOnDoWork(object sender, DoWorkEventArgs doWorkEventArgs) { string devName = YubikeyNeoManager.Instance.ListDevices().FirstOrDefault(); bool hasDevice = !string.IsNullOrEmpty(devName); if (!hasDevice) { throw new InvalidOperationException("No yubikey"); } // 0. Get lock on yubikey using (YubikeyNeoDevice dev = YubikeyNeoManager.Instance.OpenDevice(devName)) { // 1. Prep device info int deviceId = dev.GetSerialNumber(); string neoFirmware = dev.GetVersion().ToString(); Version pivFirmware; using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName)) pivFirmware = piv.GetVersion(); _enrollWorker.ReportProgress(1); // 2 - Generate PUK, prep PIN byte[] randomKey = Utilities.GenerateRandomKey(); string puk = Utilities.MapBytesToString(randomKey.Take(8).ToArray()); string pin = txtPin.Text; _enrollWorker.ReportProgress(2); // 3 - Prep CA WindowsCertificate enrollmentAgent = WindowsCertStoreUtilities.FindCertificate(_settings.EnrollmentAgentCertificate); string ca = _settings.CSREndpoint; string caTemplate = _settings.EnrollmentCaTemplate; string user = txtUser.Text; if (enrollmentAgent == null) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to find the certificate with thumbprint: " + _settings.EnrollmentAgentCertificate; return; } _enrollWorker.ReportProgress(3); // 4 - Prep Management Key // TODO: Consider a new key every time? byte[] mgmKey = _settings.EnrollmentManagementKey; _enrollWorker.ReportProgress(4); RSAParameters publicKey; X509Certificate2 cert; byte[] chuid; using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName)) { // 5 - Yubico: Reset device pivTool.BlockPin(); pivTool.BlockPuk(); bool reset = pivTool.ResetDevice(); if (!reset) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to reset the YubiKey"; return; } _enrollWorker.ReportProgress(5); // 6 - Yubico: Management Key bool authenticated = pivTool.Authenticate(YubikeyPivDevice.DefaultManagementKey); if (!authenticated) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to authenticate with the YubiKey"; return; } bool setMgmKey = pivTool.SetManagementKey(mgmKey); if (!setMgmKey) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the management key"; return; } _enrollWorker.ReportProgress(6); // 7 - Yubico: Set CHUID bool setChuid = pivTool.SetCHUID(Guid.NewGuid(), out chuid); if (!setChuid) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set CHUID"; return; } _enrollWorker.ReportProgress(7); // 8 - Yubico: PIN int tmp; bool setPin = pivTool.ChangePin(YubikeyPivDevice.DefaultPin, pin, out tmp); if (!setPin) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the PIN code"; return; } _enrollWorker.ReportProgress(8); // 9 - Yubico: PUK bool setPuk = pivTool.ChangePuk(YubikeyPivDevice.DefaultPuk, puk, out tmp); if (!setPuk) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the PUK code"; return; } _enrollWorker.ReportProgress(9); // 10 - Yubico: Generate Key YubikeyAlgorithm algorithm = (YubikeyAlgorithm)drpAlgorithm.SelectedItem; bool keyGenerated = pivTool.GenerateKey9a(algorithm.Value, out publicKey); if (!keyGenerated) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to generate a keypair"; return; } _enrollWorker.ReportProgress(10); } // 11 - Yubico: Make CSR string csr; string csrError; bool madeCsr = MakeCsr(Utilities.ExportPublicKeyToPEMFormat(publicKey), pin, out csrError, out csr); if (!madeCsr) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to generate a CSR" + Environment.NewLine + csrError; return; } _enrollWorker.ReportProgress(11); // 12 - Enroll string enrollError; bool enrolled = CertificateUtilities.Enroll(user, enrollmentAgent, ca, caTemplate, csr, out enrollError, out cert); if (!enrolled) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to enroll a certificate." + Environment.NewLine + enrollError; return; } _enrollWorker.ReportProgress(12); using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName)) { // 13 - Yubico: Import Cert bool authenticatedForCert = pivTool.Authenticate(mgmKey); if (!authenticatedForCert) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to authenticate prior to importing a certificate"; return; } YubicoPivReturnCode imported = pivTool.SetCertificate9a(cert); if (imported != YubicoPivReturnCode.YKPIV_OK) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = $"Unable to import a certificate, return code {imported}"; return; } _enrollWorker.ReportProgress(13); } // 14 - Create enrolled item EnrolledYubikey newEnrollment = new EnrolledYubikey(); newEnrollment.DeviceSerial = deviceId; newEnrollment.Certificate.Serial = cert.SerialNumber; newEnrollment.Certificate.Thumbprint = cert.Thumbprint; newEnrollment.Certificate.Subject = cert.Subject; newEnrollment.Certificate.Issuer = cert.Issuer; newEnrollment.Certificate.StartDate = cert.NotBefore; newEnrollment.Certificate.ExpireDate = cert.NotAfter; newEnrollment.Certificate.RawCertificate = cert.RawData; newEnrollment.CA = ca; newEnrollment.Username = user; newEnrollment.ManagementKey = mgmKey; newEnrollment.PukKey = puk; newEnrollment.Chuid = BitConverter.ToString(chuid).Replace("-", ""); newEnrollment.EnrolledAt = DateTime.UtcNow; newEnrollment.YubikeyVersions.NeoFirmware = neoFirmware; newEnrollment.YubikeyVersions.PivApplet = pivFirmware.ToString(); _dataStore.Add(newEnrollment); _enrollWorker.ReportProgress(14); // 15 - Save store _dataStore.Save(MainForm.FileStore); _enrollWorker.ReportProgress(15); // Report doWorkEventArgs.Cancel = false; _enrollWorkerMessage = "Success"; } }