private void EnrollWorkerOnDoWork(object sender, DoWorkEventArgs doWorkEventArgs)
{
string devName = YubikeyNeoManager.Instance.ListDevices().FirstOrDefault();
bool hasDevice = !string.IsNullOrEmpty(devName);
if (!hasDevice)
{
throw new InvalidOperationException("No yubikey");
}
// 0. Get lock on yubikey
using (YubikeyNeoDevice dev = YubikeyNeoManager.Instance.OpenDevice(devName))
{
// 1. Prep device info
int deviceId = dev.GetSerialNumber();
string neoFirmware = dev.GetVersion().ToString();
Version pivFirmware;
using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName))
pivFirmware = piv.GetVersion();
_enrollWorker.ReportProgress(1);
// 2 - Generate PUK, prep PIN
byte[] randomKey = Utilities.GenerateRandomKey();
string puk = Utilities.MapBytesToString(randomKey.Take(8).ToArray());
string pin = txtPin.Text;
_enrollWorker.ReportProgress(2);
// 3 - Prep CA
WindowsCertificate enrollmentAgent = WindowsCertStoreUtilities.FindCertificate(_settings.EnrollmentAgentCertificate);
string ca = _settings.CSREndpoint;
string caTemplate = _settings.EnrollmentCaTemplate;
string user = txtUser.Text;
if (enrollmentAgent == null)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to find the certificate with thumbprint: " + _settings.EnrollmentAgentCertificate;
return;
}
_enrollWorker.ReportProgress(3);
// 4 - Prep Management Key
// TODO: Consider a new key every time?
byte[] mgmKey = _settings.EnrollmentManagementKey;
_enrollWorker.ReportProgress(4);
RSAParameters publicKey;
X509Certificate2 cert;
byte[] chuid;
using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName))
{
// 5 - Yubico: Reset device
pivTool.BlockPin();
pivTool.BlockPuk();
bool reset = pivTool.ResetDevice();
if (!reset)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to reset the YubiKey";
return;
}
_enrollWorker.ReportProgress(5);
// 6 - Yubico: Management Key
bool authenticated = pivTool.Authenticate(YubikeyPivDevice.DefaultManagementKey);
if (!authenticated)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to authenticate with the YubiKey";
return;
}
bool setMgmKey = pivTool.SetManagementKey(mgmKey);
if (!setMgmKey)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the management key";
return;
}
_enrollWorker.ReportProgress(6);
// 7 - Yubico: Set CHUID
bool setChuid = pivTool.SetCHUID(Guid.NewGuid(), out chuid);
if (!setChuid)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set CHUID";
return;
}
_enrollWorker.ReportProgress(7);
// 8 - Yubico: PIN
int tmp;
bool setPin = pivTool.ChangePin(YubikeyPivDevice.DefaultPin, pin, out tmp);
if (!setPin)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the PIN code";
return;
}
_enrollWorker.ReportProgress(8);
// 9 - Yubico: PUK
bool setPuk = pivTool.ChangePuk(YubikeyPivDevice.DefaultPuk, puk, out tmp);
if (!setPuk)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the PUK code";
return;
}
_enrollWorker.ReportProgress(9);
// 10 - Yubico: Generate Key
YubikeyAlgorithm algorithm = (YubikeyAlgorithm)drpAlgorithm.SelectedItem;
bool keyGenerated = pivTool.GenerateKey9a(algorithm.Value, out publicKey);
if (!keyGenerated)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to generate a keypair";
return;
}
_enrollWorker.ReportProgress(10);
}
// 11 - Yubico: Make CSR
string csr;
string csrError;
bool madeCsr = MakeCsr(Utilities.ExportPublicKeyToPEMFormat(publicKey), pin, out csrError, out csr);
if (!madeCsr)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to generate a CSR" + Environment.NewLine + csrError;
return;
}
_enrollWorker.ReportProgress(11);
// 12 - Enroll
string enrollError;
bool enrolled = CertificateUtilities.Enroll(user, enrollmentAgent, ca, caTemplate, csr, out enrollError, out cert);
if (!enrolled)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to enroll a certificate." + Environment.NewLine + enrollError;
return;
}
_enrollWorker.ReportProgress(12);
using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName))
{
// 13 - Yubico: Import Cert
bool authenticatedForCert = pivTool.Authenticate(mgmKey);
if (!authenticatedForCert)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to authenticate prior to importing a certificate";
return;
}
YubicoPivReturnCode imported = pivTool.SetCertificate9a(cert);
if (imported != YubicoPivReturnCode.YKPIV_OK)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = $"Unable to import a certificate, return code {imported}";
return;
}
_enrollWorker.ReportProgress(13);
}
// 14 - Create enrolled item
EnrolledYubikey newEnrollment = new EnrolledYubikey();
newEnrollment.DeviceSerial = deviceId;
newEnrollment.Certificate.Serial = cert.SerialNumber;
newEnrollment.Certificate.Thumbprint = cert.Thumbprint;
newEnrollment.Certificate.Subject = cert.Subject;
newEnrollment.Certificate.Issuer = cert.Issuer;
newEnrollment.Certificate.StartDate = cert.NotBefore;
newEnrollment.Certificate.ExpireDate = cert.NotAfter;
newEnrollment.Certificate.RawCertificate = cert.RawData;
newEnrollment.CA = ca;
newEnrollment.Username = user;
newEnrollment.ManagementKey = mgmKey;
newEnrollment.PukKey = puk;
newEnrollment.Chuid = BitConverter.ToString(chuid).Replace("-", "");
newEnrollment.EnrolledAt = DateTime.UtcNow;
newEnrollment.YubikeyVersions.NeoFirmware = neoFirmware;
newEnrollment.YubikeyVersions.PivApplet = pivFirmware.ToString();
_dataStore.Add(newEnrollment);
_enrollWorker.ReportProgress(14);
// 15 - Save store
_dataStore.Save(MainForm.FileStore);
_enrollWorker.ReportProgress(15);
// Report
doWorkEventArgs.Cancel = false;
_enrollWorkerMessage = "Success";
}
}