/// <summary> /// Recovers an eIDAS-verified member with eidas payload. /// /// </summary> /// <param name="payload">a payload containing member id, the certificate and a new key to add to the member</param> /// <param name="signature">a payload signature with the private key corresponding to the certificate</param> /// <param name="cryptoEngine">a crypto engine that must contain the privileged key that is included in /// the payload(if it does not contain keys for other levels they will be generated)</param> /// <returns>a task of a new member</returns> public Task <ProtoMember> RecoverEidasMember( EidasRecoveryPayload payload, string signature, ICryptoEngine cryptoEngine) { Key privilegedKey = payload.Key; Key standardKey = GetOrGenerateKeyForLevel(cryptoEngine, Level.Standard); Key lowKey = GetOrGenerateKeyForLevel(cryptoEngine, Level.Low); IList <Key> keys = new List <Key> { privilegedKey, standardKey, lowKey }; ISigner signer = cryptoEngine.CreateSigner(privilegedKey.Id); string memberId = payload.MemberId; var request = new RecoverEidasRequest { Payload = payload, Signature = signature }; var memberRequest = new GetMemberRequest { MemberId = memberId }; return(Util.TwoTasks( gateway.GetMemberAsync(memberRequest) .ToTask(response => response.Member), gateway.RecoverEidasMemberAsync(request) .ToTask(response => response.RecoveryEntry)) .Map(memberAndEntry => { IList <MemberOperation> operations = new List <MemberOperation>(); operations.Add(new MemberOperation { Recover = memberAndEntry.Value }); var list = keys .Select(key => new MemberOperation { AddKey = new MemberAddKeyOperation { Key = key } }) .ToList(); foreach (var operation in list) { operations.Add(operation); } return Util.ToUpdateMemberRequest(memberAndEntry.Key, operations, signer); }) .FlatMap(updateMember => gateway .UpdateMemberAsync(updateMember) .ToTask(response => response.Member))); }
/// <summary> /// Recovers a TPP member and verifies its EIDAS alias using eIDAS certificate. /// /// </summary> /// <param name="client">token client</param> /// <param name="memberId">id of the member to be recovered</param> /// <param name="tppAuthNumber">authNumber of the TPP</param> /// <param name="certificate">base64 encoded eIDAS certificate</param> /// <param name="certificatePrivateKey">private key corresponding to the public key in the certificate</param> /// <returns>verified business member</returns> public static Member RecoverEidas( Tokenio.Tpp.TokenClient client, string memberId, string tppAuthNumber, string certificate, byte[] certificatePrivateKey) { // create a signer using the certificate private key Algorithm signingAlgorithm = Algorithm.Rs256; ISigner payloadSigner = new Rs256Signer("eidas", certificatePrivateKey); // generate a new privileged key to add to the member ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore()); Key newKey = cryptoEngine.GenerateKey(Level.Privileged); // construct a payload with all the required data EidasRecoveryPayload payload = new EidasRecoveryPayload { MemberId = memberId, Certificate = certificate, Algorithm = signingAlgorithm, Key = newKey }; Tokenio.Tpp.Member recoveredMember = client .RecoverEidasMember(payload, payloadSigner.Sign(payload), cryptoEngine) .Result; // the eidas alias becomes unverified after the recovery, so we need to verify it again Alias eidasAlias = new Alias { Value = tppAuthNumber.Trim(), RealmId = recoveredMember.RealmId(), Type = Alias.Types.Type.Eidas }; VerifyEidasPayload verifyPayload = new VerifyEidasPayload { MemberId = memberId, Alias = eidasAlias, Certificate = certificate, Algorithm = signingAlgorithm }; VerifyEidasResponse response = recoveredMember .VerifyEidas(verifyPayload, payloadSigner.Sign(verifyPayload)) .Result; return(recoveredMember); }
/// <summary> /// Recovers an eIDAS-verified member with eIDAS payload. /// /// </summary> /// <param name="payload">a payload containing member id, the certificate and a new key to add to the member</param> /// <param name="signature">a payload signature with the private key corresponding to the certificate</param> /// <param name="cryptoEngine">a crypto engine that must contain the privileged key that is included in /// the payload(if it does not contain keys for other levels they will be generated)</param> /// <returns>a Task of a new member</returns> public Task <Member> RecoverEidasMember( EidasRecoveryPayload payload, string signature, ICryptoEngine cryptoEngine) { var unauthenticated = ClientFactory.Unauthenticated(channel); return(unauthenticated.RecoverEidasMember(payload, signature, cryptoEngine) .Map(member => { var client = ClientFactory.Authenticated(channel, member.Id, cryptoEngine); return new Member( member.Id, client, tokenCluster, member.PartnerId, member.RealmId); })); }