public void SearchableDeviceKey_Parse_FIDO()
{
string jsonData = @"{
'usage':'FIDO',
'keyIdentifier':'GshyINLMaOOwqt1LNUi0gQ==',
'keyMaterial':'eyJ2ZXJzaW9uIjoxLCJhdXRoRGF0YSI6Ik5XeWUxS0NUSWJscFh4NnZrWUlEOGJWZmFKMm1IN3lXR0V3VmZkcG9ESUhGQUFBQUdjdHBTQjZQOTBBNWsrd0tKeW1oVktnQUVCckljaURTekdqanNLcmRTelZJdElHbEFRSURKaUFCSVZnZ29uTkNlY2EwZE5LTzlaWXBGdjlvMCtlZ0VGQ1ZTeXJ0UmN1NndrMStoT2dpV0NDNWE3MFI0ZlNFZ0ZpNWxnQTRBVVBmN1Y0Q2p5VWcvb1VWTFEzem5kZnc1YUZyYUcxaFl5MXpaV055WlhUMSIsIng1YyI6WyJNSUlDdlRDQ0FhV2dBd0lCQWdJRUdLeEd3REFOQmdrcWhraUc5dzBCQVFzRkFEQXVNU3d3S2dZRFZRUURFeU5aZFdKcFkyOGdWVEpHSUZKdmIzUWdRMEVnVTJWeWFXRnNJRFExTnpJd01EWXpNVEFnRncweE5EQTRNREV3TURBd01EQmFHQTh5TURVd01Ea3dOREF3TURBd01Gb3diakVMTUFrR0ExVUVCaE1DVTBVeEVqQVFCZ05WQkFvTUNWbDFZbWxqYnlCQlFqRWlNQ0FHQTFVRUN3d1pRWFYwYUdWdWRHbGpZWFJ2Y2lCQmRIUmxjM1JoZEdsdmJqRW5NQ1VHQTFVRUF3d2VXWFZpYVdOdklGVXlSaUJGUlNCVFpYSnBZV3dnTkRFek9UUXpORGc0TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZWVvN0xIeEpjQkJpSXd6U1ArdGc1U2t4Y2RTRDhRQytoWjFyRDRPWEF3RzFSczNVYnMvSzQrUHpENEhwN1dLOUpvMU1IcjAzczd5K2txakNydXRPT3FOc01Hb3dJZ1lKS3dZQkJBR0N4QW9DQkJVeExqTXVOaTR4TGpRdU1TNDBNVFE0TWk0eExqY3dFd1lMS3dZQkJBR0M1UndDQVFFRUJBTUNCU0F3SVFZTEt3WUJCQUdDNVJ3QkFRUUVFZ1FReTJsSUhvLzNRRG1UN0FvbkthRlVxREFNQmdOVkhSTUJBZjhFQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1huUU9YMkdENEx1RmRNUng1YnJyN0l2cW40SVRadXJUR0c3dFg4K2Ewd1lwSU43aGNQRTdiNUlORDlOYWwyYkhPMm9yaC90U1JLU0Z6Qlk1ZTRjdmRhOXJBZFZmR29PalRhQ1c2Rlo1L3RhMk0ydmdFaG96NURvOGZpdW9Yd0JhMVhDcDYxSmZJbFB0eDExUFhtNXBJUzJ3M2JYSTdtWTB1SFVNR3Z4QXp0YTc0ektYTHNsYUxhU1FpYlNLaldLdDloK1NzWHk0SkdxY1ZlZk9sYVFsSmZYTDFUZ2E2d2NPMFFUdTZYcStVdzdaUE5QbnJwQnJMYXVLRGQyMDJSbE40U1A3b2hMM2Q5Ykc2VjVoVXovM091c05FQlpVbjVXM1ZtUGoxWm5GYXZrTUIzUmtSTU9hNThNWkFPUkpUNGltQVB6cnZKMHZ0djk0L3k3MUM2dFo1Il0sImRpc3BsYXlOYW1lIjoiWXViaUtleSA1In0=',
'creationTime':'2019-12-12T09:42:21.2641041Z',
'deviceId':'00000000-0000-0000-0000-000000000000',
'customKeyInformation':'AQEAAAAAAAAAAAAAAAAA',
'fidoAaGuid':'cb69481e-8ff7-4039-93ec-0a2729a154a8',
'fidoAuthenticatorVersion':null,
'fidoAttestationCertificates':['e7d092ba192fdbbb2f36552832d616126971a269']
}";
// Parse the FIDO key and check all fields
var keyCredential = KeyCredential.ParseJson(jsonData);
Assert.AreEqual(KeyUsage.FIDO, keyCredential.Usage);
Assert.AreEqual("YubiKey 5", keyCredential.FidoKeyMaterial.DisplayName);
Assert.AreEqual("GshyINLMaOOwqt1LNUi0gQ==", keyCredential.Identifier);
Assert.AreEqual(2019, keyCredential.CreationTime.Year);
Assert.IsTrue(keyCredential.CustomKeyInfo.Flags.HasFlag(KeyFlags.Attestation));
Assert.AreEqual("e7d092ba192fdbbb2f36552832d616126971a269", keyCredential.FidoKeyMaterial.AttestationCertificates[0].Thumbprint.ToLowerInvariant());
Assert.AreEqual("cb69481e-8ff7-4039-93ec-0a2729a154a8", keyCredential.FidoKeyMaterial.AuthenticatorData.AttestedCredentialData.AaGuid.ToString());
// Serialize the object again and compare with the original
Assert.AreEqual(JToken.Parse(jsonData).ToString(Formatting.None), keyCredential.ToJson());
}
public void UpdateSpKeyCredential(MockContext context, string spObjectId, KeyCredential credential)
{
GetGraphClient(context).ServicePrincipals.UpdateKeyCredentials(spObjectId, new KeyCredentialsUpdateParameters(new List <KeyCredential>()
{
credential
}));
}
public void UpdateAppKeyCredential(MockContext context, string appObjectId, KeyCredential credential)
{
GetGraphClient(context).Applications.UpdateKeyCredentials(appObjectId, new KeyCredentialsUpdateParameters(new List <KeyCredential>()
{
credential
}));
}
/// <summary>
/// Create Azure AD application with cert as the key credential.
/// </summary>
/// <param name="cert"></param>
/// <returns></returns>
public async Task <Application> CreateApplicationAsync(X509Certificate2 cert)
{
Guid guid = Guid.NewGuid();
Application newApp = new Application
{
DisplayName = $"Microsoft.Azure.Services.AppAuthentication.Test{guid}",
IdentifierUris = new List <string> {
$"https://microsoft.com/demo/{guid}"
},
ReplyUrls = new List <string> {
"https://microsoft.com/demo"
},
OdataType = "Microsoft.DirectoryServices.Application",
AppRolesODataType = "Collection(Microsoft.DirectoryServices.AppRole)",
IdentifierUrisODataType = "Collection(Edm.String)",
ReplyUrlsODdataType = "Collection(Edm.String)",
KeyCredentialsODdataType = "Collection(Microsoft.DirectoryServices.KeyCredential)"
};
KeyCredential keyCredential = new KeyCredential
{
Type = "AsymmetricX509Cert",
Usage = "Verify",
Value = Convert.ToBase64String(cert.Export(X509ContentType.Cert)),
StartDate = cert.NotBefore,
EndDate = cert.NotAfter
};
newApp.KeyCredentials = new List <KeyCredential> {
keyCredential
};
return(await CreateApplication(newApp).ConfigureAwait(false));
}
protected override void ProcessRecord()
{
KeyCredential keyCredential;
switch (this.ParameterSetName)
{
case ParamSetFromDNBinary:
foreach (string singleValue in this.DNWithBinaryData)
{
keyCredential = KeyCredential.ParseDNBinary(singleValue);
this.WriteObject(keyCredential);
}
break;
case ParamSetFromBinary:
keyCredential = new KeyCredential(this.BinaryData, this.HolderDN);
this.WriteObject(keyCredential);
break;
case ParamSetFromUserCertificate:
case ParamSetFromComputerCertificate:
keyCredential = new KeyCredential(this.Certificate, this.DeviceId, this.HolderDN, this.CreationTime, this.IsComputerKey.IsPresent);
this.WriteObject(keyCredential);
break;
}
}
private static async Task <bool> RequestSignAsync(Guid userId, KeyCredentialRetrievalResult openKeyResult)
{
// Calling userKey.RequestSignAsync() prompts the uses to enter the PIN or use Biometrics (Windows Hello).
// The app would use the private key from the user account to sign the sign-in request (challenge)
// The client would then send it back to the server and await the servers response.
IBuffer challengeMessage = AuthService.AuthService.Instance.PassportRequestChallenge();
KeyCredential userKey = openKeyResult.Credential;
KeyCredentialOperationResult signResult = await userKey.RequestSignAsync(challengeMessage);
if (signResult.Status == KeyCredentialStatus.Success)
{
// If the challenge from the server is signed successfully
// send the signed challenge back to the server and await the servers response
return(AuthService.AuthService.Instance.SendServerSignedChallenge(
userId, Helpers.GetDeviceId(), signResult.Result.ToArray()));
}
else if (signResult.Status == KeyCredentialStatus.UserCanceled)
{
// User cancelled the Windows Hello PIN entry.
}
else if (signResult.Status == KeyCredentialStatus.NotFound)
{
// Must recreate Windows Hello key
}
else if (signResult.Status == KeyCredentialStatus.SecurityDeviceLocked)
{
// Can't use Windows Hello right now, remember that hardware failed and suggest restart
}
else if (signResult.Status == KeyCredentialStatus.UnknownError)
{
// Can't use Windows Hello right now, try again later
}
return(false);
}
public static async Task <bool> UnlinkAccount(string userId)
{
var retrieveResult = await KeyCredentialManager.OpenAsync(userId);
if (retrieveResult.Status != KeyCredentialStatus.Success)
{
return(false);
}
KeyCredential userCredential = retrieveResult.Credential;
string publicKeyHint = CalculatePublicKeyHint(userCredential.RetrievePublicKey());
var unlinkResult = await PlayFab.PlayFabClientAPI.UnlinkWindowsHelloAsync(new UnlinkWindowsHelloAccountRequest
{
PublicKeyHint = publicKeyHint
});
if (unlinkResult.Error != null)
{
MessageDialog message = new MessageDialog($"Error while un-linking: {unlinkResult.Error.Error} {unlinkResult.Error.ErrorMessage}");
await message.ShowAsync();
}
return(unlinkResult.Error == null);
}
public override void ExecuteCmdlet()
{
ExecutionBlock(() =>
{
if (!this.IsParameterBound(c => c.EndDate))
{
WriteVerbose(Resources.Properties.Resources.DefaultEndDateUsed);
EndDate = StartDate.AddYears(1);
}
if (this.IsParameterBound(c => c.ServicePrincipalObject))
{
ObjectId = ServicePrincipalObject.Id;
}
if (this.IsParameterBound(c => c.ServicePrincipalName))
{
ObjectId = ActiveDirectoryClient.GetObjectIdFromSPN(ServicePrincipalName);
}
if (Password != null && Password.Length > 0)
{
string decodedPassword = SecureStringExtensions.ConvertToString(Password);
// Create object for password credential
var passwordCredential = new PasswordCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
Value = decodedPassword
};
if (ShouldProcess(target: ObjectId.ToString(), action: string.Format("Adding a new password to service principal with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateSpPasswordCredential(ObjectId, passwordCredential));
}
}
else if (this.IsParameterBound(c => c.CertValue))
{
// Create object for key credential
var keyCredential = new KeyCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
Value = CertValue,
Type = "AsymmetricX509Cert",
Usage = "Verify"
};
if (ShouldProcess(target: ObjectId.ToString(), action: string.Format("Adding a new caertificate to service principal with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateSpKeyCredential(ObjectId, keyCredential));
}
}
else
{
throw new InvalidOperationException("No valid keyCredential or passwordCredential to update!!");
}
});
}
protected override void ProcessRecord()
{
KeyCredential keyCredential;
switch (this.ParameterSetName)
{
case ParamSetFromDNBinary:
keyCredential = KeyCredential.Parse(this.DNWithBinaryData);
break;
case ParamSetFromBinary:
keyCredential = new KeyCredential(this.BinaryData, this.HolderDN);
break;
case ParamSetFromCertificate:
default:
if (this.CreationTime.HasValue)
{
keyCredential = new KeyCredential(this.Certificate, this.DeviceId, this.HolderDN, this.CreationTime.Value);
}
else
{
keyCredential = new KeyCredential(this.Certificate, this.DeviceId, this.HolderDN);
}
break;
}
this.WriteObject(keyCredential);
}
/// <summary>
/// Get the public key of the windiws hello account
/// </summary>
/// <param name="accountId">The id of the account to use</param>
/// <exception cref="UserCancelledException"></exception>
/// <exception cref="AccountNotFoundException"></exception>
/// <exception cref="UnknownException"></exception>
/// <exception cref="AggregateException"></exception>
/// <returns>A passport result, storing the public key in its buffer</returns>
public static byte[] GetPublicKey(string accountId)
{
// Try to get the account
Task <KeyCredentialRetrievalResult> task = Task.Run(async() => await KeyCredentialManager.OpenAsync(accountId));
KeyCredentialRetrievalResult retrievalResult = task.Result;
// Check the KeyCredentialRetrievalResult status
switch (retrievalResult.Status)
{
case KeyCredentialStatus.Success:
// Get the user's credential
KeyCredential userCredential = retrievalResult.Credential;
// Get the public key
IBuffer publicKey = userCredential.RetrievePublicKey();
// Copy the public key to the PassportResult's buffer
CryptographicBuffer.CopyToByteArray(publicKey, out byte[] buffer);
// The operation was successful
return(buffer);
case KeyCredentialStatus.UserCanceled:
// User cancelled the Passport enrollment process
throw new UserCancelledException();
case KeyCredentialStatus.NotFound:
// The account was not found
throw new AccountNotFoundException();
default:
// An unknown error occurred
throw new UnknownException();
}
}
private async Task <IBuffer> CreatePassportKeyCredentialAsync()
{
// Create a new KeyCredential for the user on the device.
KeyCredentialRetrievalResult keyCreationResult = await KeyCredentialManager.RequestCreateAsync(userId, KeyCredentialCreationOption.ReplaceExisting);
if (keyCreationResult.Status == KeyCredentialStatus.Success)
{
// User has autheniticated with Windows Hello and the key credential is created.
KeyCredential userKey = keyCreationResult.Credential;
return(userKey.RetrievePublicKey());
}
else if (keyCreationResult.Status == KeyCredentialStatus.NotFound)
{
MessageDialog message = new MessageDialog("To proceed, Windows Hello needs to be configured in Windows Settings (Accounts -> Sign-in options)");
await message.ShowAsync();
return(null);
}
else if (keyCreationResult.Status == KeyCredentialStatus.UnknownError)
{
MessageDialog message = new MessageDialog("The key credential could not be created. Please try again.");
await message.ShowAsync();
return(null);
}
return(null);
}
public void SearchableDeviceKey_Serialize_FIDO_Input2()
{
string jsonData = @"{
'usage':'FIDO',
'keyIdentifier':'lSjOUI3XUtloTxC0ddVJtPLKZMQyKWKrTgXWadGmH9c=',
'keyMaterial':'eyJ2ZXJzaW9uIjoxLCJhdXRoRGF0YSI6Ik5XeWUxS0NUSWJscFh4NnZrWUlEOGJWZmFKMm1IN3lXR0V3VmZkcG9ESUhGQUFBRmRoTGUxMFZMN1VmVXE2cm5FL1VkWTVNQUlKVW96bENOMTFMWmFFOFF0SFhWU2JUeXltVEVNaWxpcTA0RjFtblJwaC9YcFFFQ0F5WWdBU0ZZSVAzWms5Vm5URUpONlQ4VWgxMHRPcUpmdDRicW1leVJUUzhvNkJQK2prYkNJbGdnYjFnR0dNMnM3T2dDMTNQdkZBVTJ1UDZJcVVGWWdiaGxQc3diUzRDK1FoV2hhMmh0WVdNdGMyVmpjbVYwOVE9PSIsIng1YyI6WyJNSUlDUXpDQ0FlbWdBd0lCQWdJUUhmSzFXbEhjUzJpRm85bWVhWC90RmpBS0JnZ3Foa2pPUFFRREFqQkpNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2d3VVJtVnBkR2xoYmlCVVpXTm9ibTlzYjJkcFpYTXhHekFaQmdOVkJBTU1Fa1psYVhScFlXNGdSa2xFVHlCRFFTQXdNekFnRncweE9ERXlNalV3TURBd01EQmFHQTh5TURNek1USXlOREl6TlRrMU9Wb3djREVMTUFrR0ExVUVCaE1DVlZNeEhUQWJCZ05WQkFvTUZFWmxhWFJwWVc0Z1ZHVmphRzV2Ykc5bmFXVnpNU0l3SUFZRFZRUUxEQmxCZFhSb1pXNTBhV05oZEc5eUlFRjBkR1Z6ZEdGMGFXOXVNUjR3SEFZRFZRUUREQlZHVkNCQ2FXOVFZWE56SUVaSlJFOHlJREEwTnpBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTNjJoSWJ5ZW5IOVdQbnpZSGVoYUJSM0M3cXN3b21aa2FQekd5VWxGUmlKSU1vM3VJVGVJbUZPRmZOY0R1T3pvcTF3Y1hYR1RtRXRFdHhGMndvOW5va280R0pNSUdHTUIwR0ExVWREZ1FXQkJTQkkxWG9MRFkxL0hKYWJhK1czMm54aHhwM1dqQWZCZ05WSFNNRUdEQVdnQlJCdC94TmRjcU8wcDhzMHhlYnpZTlJpbm5ZcVRBTUJnTlZIUk1CQWY4RUFqQUFNQk1HQ3lzR0FRUUJndVVjQWdFQkJBUURBZ1J3TUNFR0N5c0dBUVFCZ3VVY0FRRUVCQklFRUJMZTEwVkw3VWZVcTZybkUvVWRZNU13Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUk2R1NWaTEwcjY3M3VxdHNvKzJvQjZmNVM1Z0UwZmY0NHQzTmNRK1ROOU5BaUFDL1NDUCtlS3cxQm5tY1NnYnhjUXBZdVdqQlBNVkRmcWVnOHBibU9kSEt3PT0iLCJvQWpxMkNlTkEyL2d5NW14YzV0Vll4NVJ4RWFMektEMWxhMDdhZ3RmR28wPSJdLCJkaXNwbGF5TmFtZSI6IkZlaXRpYW4gQWxsLUluLVBhc3MifQ==',
'creationTime':'2020-03-31T21:41:44.8757516Z',
'deviceId':'00000000-0000-0000-0000-000000000000',
'customKeyInformation':'AQEAAAAAAAAAAAAAAAAA',
'fidoAaGuid':'12ded745-4bed-47d4-abaa-e713f51d6393',
'fidoAuthenticatorVersion':null,
'fidoAttestationCertificates':['4f94e8b002c79416507e9d9d390eca3153e1a5e8', '9e3808651ecfa53162772e9d2bc62bfe568350a9']
}";
// Parse the FIDO key from the SearchableDeviceKey_Parse_FIDO_Input2 test
var keyCredential = KeyCredential.ParseJson(jsonData);
throw new AssertInconclusiveException("FIDO2 JSON serialization must be improved.");
// This test fill fail for now:
Assert.AreEqual(2, keyCredential.FidoKeyMaterial.AttestationCertificates.Count);
// Serialize the object again and compare with the original
Assert.AreEqual(JToken.Parse(jsonData).ToString(Formatting.None), keyCredential.ToJson());
}
private void ValidateKeyCredential(KeyCredential credential)
{
if (credential == null || string.IsNullOrEmpty(credential.KeyId) || string.IsNullOrEmpty(credential.Value) ||
string.IsNullOrEmpty(credential.Type) || string.IsNullOrEmpty(credential.Usage) || credential.StartDate == null || credential.EndDate == null)
{
throw new InvalidOperationException(ProjectResources.KeyCredentialNotValid);
}
}
public override void ExecuteCmdlet()
{
ExecutionBlock(() =>
{
EndDate = StartDate.AddYears(1);
if (this.IsParameterBound(c => c.ApplicationObject))
{
ObjectId = ApplicationObject.ObjectId;
}
else if (this.IsParameterBound(c => c.ApplicationId))
{
ObjectId = ActiveDirectoryClient.GetAppObjectIdFromApplicationId(ApplicationId);
}
else if (this.IsParameterBound(c => c.DisplayName))
{
ObjectId = ActiveDirectoryClient.GetAppObjectIdFromDisplayName(DisplayName);
}
if (Password != null && Password.Length > 0)
{
string decodedPassword = SecureStringExtensions.ConvertToString(Password);
// Create object for password credential
var passwordCredential = new PasswordCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
Value = decodedPassword
};
if (ShouldProcess(target: ObjectId.ToString(), action: string.Format("Adding a new password to application with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateAppPasswordCredential(ObjectId, passwordCredential));
}
}
else if (this.IsParameterBound(c => c.CertValue))
{
// Create object for key credential
var keyCredential = new KeyCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
Value = CertValue,
Type = "AsymmetricX509Cert",
Usage = "Verify"
};
if (ShouldProcess(target: ObjectId.ToString(), action: string.Format("Adding a new certificate to application with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateAppKeyCredential(ObjectId, keyCredential));
}
}
else
{
throw new InvalidOperationException("No valid keyCredential or passowrdCredential to update!!");
}
});
}
public PSADCredential CreateSpKeyCredential(string spObjectId, KeyCredential credential)
{
ValidateKeyCredential(credential);
var keyCredsList = GetSpKeyCredentials(spObjectId);
// Add new KeyCredential to existing KeyCredential list
keyCredsList.Add(credential);
PatchSpKeyCredentials(spObjectId, keyCredsList);
return(credential.ToPSADCredential());
}
public void KeyCredential_Parse_NonMFAKey()
{
byte[] blob = "000200002000010D76D33954251DA969022D0D3B009939E256A6C9B3FF657907C72063F89AE79E200002F6B00E6A9BA3066ABDE0E4B23EB82D5E42898263AD46CA84BE0CFD20E81F91C00E01033082010A0282010100D6589A6FE210490583C1DCD57E3579AB24979D9B1A7118E3553DEDCFFA5CF5ABD41CF6C19CBBE598CE6F9140541E8FF8A778BD5CAADD8D038A49785A4D9031C98E26783E824BA3CF00D86C112A9A5C65A5ACF2B077E365D947BD41A437E7034CC00A77550B2EA8CEC18C1F7516DA4DC13177E1DE1D32FBBDDE1E1FD7395AAB71A8F302B985A64248C3A239E6943AEAFA9A8B591AE499F31723F7DC8A22A6D197445056DA4DF9D13443DB4A6201D52D82795A2F2FFA2F75B6F2605E213609A39DF33F26E023D83D9C4BDDD4879E234407833BA38460CBC66D9D31CDF2C5B3A042F321DA7F2140ECC4A5A190306ED51FE0EA5273DD83D5338B2554ABD3738A06A50203010001010004010100050002000701020800086254F138261CD3010800096254F138261CD301".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.ActiveDirectory, key.Source);
Assert.IsTrue(key.CustomKeyInfo.Flags.HasFlag(KeyFlags.MFANotUsed));
}
public void KeyCredential_Parse_UserKey4()
{
byte[] blob = "00020000200001B172047DE6F5926155BEEF8A10E7F16453C371696E61927257E7DE1876ADBE1920000248054C70147BF28076C655A54D7493FFD723DE422E6DF8BFA89C059D8A3E84521B0103525341310008000003000000000100000000000000000000010001B11FDB9CC39BB2C09AA244E8794BF60C7C9A7348DE93E9F368D4FFA77E6B96BB81898D53DA004BA74EC5E5EAE8C67D6DBC126863A78C436357A6C0AF5AF0557E8B1C71319D98CF6ECABED321E0751EAC0FCD2808A02152B0D703AFE0B54C10132CE981E4088A28110F5A4743B5D5A7862A5EAED28F53F2413CE763BCD823EC81EB225EB6A9A9989006E36A574D3FFDBF62BE4BDC00F7014D2E59BFD4077285BE88232BABFC3AEF85E20D8E97C2A94F64902CC86ADC3A2C486CC7CA8D0B163DEB41F1F66D202382D1C5F7DAC30BF9CA6F26538E5E91F3E1CBD8818B58459676588913BABD84E1AE0C2CCF5A76326F81B063581468B55B3E015DDA17B30A436CA10100040101000501100006739E89E927DBF94AB7EBC4201D6577EB040007010000000800080040230E430000400800094C79579CD17CD448".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.AzureActiveDirectory, key.Source);
Assert.AreEqual(KeyFlags.None, key.CustomKeyInfo.Flags);
}
public void KeyCredential_Parse_UserKey3()
{
byte[] blob = "00020000200001D333C85D306B27498806D9AEFDC984C18DE8EB855BF481E4AD3A24A21929FD5B200002E88E7EBE4CE413FDA9ED987C0CC8C327438B0861DC3BE116680CF8E2BAEB27B01B0103525341310008000003000000000100000000000000000000010001976D21DC9A0C0B84040688F5E7F2BB8147B1305CA01CEFDB13E9FAB49EB6734FD3C32B5D34B01EB6ACE35DDF73E62CB506501A5FD1AAAB698FB98AEA2F2721393C155D84DDF59EF91D8F6402FD755D246C3E04BAF96EFA04BBC7DD314C083800B934B192EA587904C938255D781EC0B2FE8FA3135F952A13FF805492579AD6710051525A7A824A8A5CBA74EF4D3A2F2E271856FF633A411912A53BEAA2805A1B57148ACC8404B473FD3580F450DE5AAB10334FEB084B6045A65840898A66BF88AE19DB802AF7FA4AEED95ECDC8FF286AE0075575F82974396B72730C15C511A961BBD6A5A4B46D395AA85F82ACBD585CE57DAE05EE7B22CBEA9E9E02571EF5890100040101000501100006871059FD5C24F54FA5EAC14DE5E2B32D05000701000000000800080040230E43000040080009D1B7948179CED448".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.AzureActiveDirectory, key.Source);
Assert.AreEqual(KeyFlags.None, key.CustomKeyInfo.Flags);
}
public void KeyCredential_Parse_UserKey2()
{
byte[] blob = "000200002000013845C226E299D67EFB43D7504DA462E2D951B517124E5D41A9B0C61E5A15B978200002A2E324776A66AED61D60C771DE3B1B8AA38CF260B63083DB1DA554F233FBF92B1B0103525341310008000003000000000100000000000000000000010001BF723DF58198223D30D10EF3335B1360453A89C57D4B8F0CCE3F958F834F50A01A069E3D92AE0DE07C92A43DF405AC756FFE2C97801E879CED5B0E25E052CEBF352C605C36BF87A2CFC16F830ABCB5A14DDC3EE282313ABE7049C55F2D37164BD050A20C8E5F6CD4B9EDDEC523836EA8DDF0E94ECE5B87A4B6541811312FED6BA0A118E174CCA19352C1A0DB704B9E789C086FB58543554746F4DFCDDD8E5DFEA2A548788DC340FD806A6D6ED6F2003B9E1447AF6A4040FBB2802D9093C3EB432BB72B8F033887555F60E70B927CB6C1FEC2BF17C03FCA03B3BAA56FB4F2A1ECCCD33B6C6AFCBB29CB65304E5894FDD77FD3982D1FB2B2AEAC6B5451F14A1A8F01000401010005011000064B5E981009083D448679149422D9E1700600070100000100000800080040230E430000400800097A9DBAB3B32AD548".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.AzureActiveDirectory, key.Source);
Assert.IsTrue(key.CustomKeyInfo.SupportsNotification);
}
public void KeyCredential_Parse_ComputerKey()
{
byte[] blob = "000200002000019C00E026B615793DE47951FF58A15F1F967297980C3EDAAF60B9E08FC9986F1320000204B8D485B4691C934E291D38B873B78390D4074B5D5391A851BF12C7466FEEC40E01033082010A0282010100B851C9219527F52E8A51582243E2CCA390B634FE5DE16B2BCA2E225257F3FF20BFE478C98B36095C49D897D42A67E2545D77003D38B9DF18682AF6FBFF281895CE61DADD5F72E13B40DA34E47833D380E58175F7D509DFA5E9971068756626AF1425B7CE0393BDB28AFF8E25CC601DE4542672E723B5BBB4E7D3963C2ACFB445171B43C14683DF0ED6524BD11F583D5BBEEBBA1DE6DE3384DF598E0D8BADACFBF1667890DC72CE61AF746084364BC288D982F23A6CD123E9BB6B701E00B096BE899876FE93BDD8B1C56FC107F36F7B2C8CE1AFB715FCDECA192634BE961B6104F21BFD84C97305123FF69D05D685CC8760CE54D9788457882D9DD39AFDA1D77D0203010001010004010100050008000831FF708C3402D401080009A962ABD55AF6D301".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.ActiveDirectory, key.Source);
Assert.IsNull(key.CustomKeyInfo);
}
public static PSADCredential ToPSADCredential(this KeyCredential credential)
{
return(new PSADCredential
{
KeyId = credential.KeyId,
StartDate = credential.StartDate == null ? string.Empty : credential.StartDate.ToString(),
EndDate = credential.EndDate == null ? string.Empty : credential.EndDate.ToString(),
Type = credential.Type
});
}
/// <summary>
/// Creates a view to for adding a key credential to an existing <see cref="Application"/> in Graph.
/// </summary>
/// <param name="objectId">Unique identifier of the <see cref="Application"/>.</param>
/// <returns>A view with details to add a key to the <see cref="Application"/>.</returns>
public ActionResult AddKey(string objectId)
{
//Get the access token as we need it to make a call to the Graph API
AuthenticationResult result = null;
Application app = null;
try
{
// Get the access token from the cache
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority,
new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = authContext.AcquireTokenSilent(graphResourceId, credential,
new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
//Setup Graph API connection and get a list of groups
Guid ClientRequestId = Guid.NewGuid();
GraphSettings graphSettings = new GraphSettings();
graphSettings.ApiVersion = GraphConfiguration.GraphApiVersion;
GraphConnection graphConnection = new GraphConnection(result.AccessToken, ClientRequestId, graphSettings);
app = graphConnection.Get <Application>(objectId);
}
catch (Exception e)
{
if (Request.QueryString["reauth"] == "True")
{
//
// Send an OpenID Connect sign-in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
//
HttpContext.GetOwinContext().Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return(View());
}
KeyCredential key = new KeyCredential();
key.KeyId = System.Guid.NewGuid();
key.Type = "Symmetric";
key.Usage = "Verify";
String keyValue = "VSoJ0xLgSyQv60M+mJCtJOMM6yflDz5pLnAVNzGT6do=";
byte[] keyBytes = System.Text.Encoding.ASCII.GetBytes(keyValue);
key.Value = keyBytes;
app.KeyCredentials.Add(key);
return(View(app));
}
public void KeyCredential_Parse_UserKeyFIDO()
{
byte[] blob = "000200001000015847BA3C54FEDCC4FEA49D957D1FF88D20000261D774442D358413F23535501330F1FCB80FAA161C090932FA706966C812B724C404037B2276657273696F6E223A312C226175746844617461223A224E577965314B435449626C70587836766B59494438625666614A326D48377957474577566664706F44494846414141414D766F726D6479654F554A586A354A4B4D4E49385152674145466848756A78552F747A452F7153646C5830662B49326C415149444A69414249566767684858674A303148324B3568387A473075642F762B4E6757724F504C726F6B3976364E436D3168666F766B695743435376764C507A456F667878324D67442F4F54337A676C5850587A6357464B36554C575863505A54305862364672614731685979317A5A574E795A585431222C22783563223A5B224D4949437644434341615367417749424167494541363377456A414E42676B71686B69473977304241517346414441754D5377774B6759445651514445794E5A64574A705932386756544A4749464A7662335167513045675532567961574673494451314E7A49774D44597A4D544167467730784E4441344D4445774D4441774D444261474138794D4455774D446B774E4441774D4441774D466F776254454C4D416B474131554542684D4355305578456A415142674E5642416F4D43566C31596D6C6A62794242516A45694D434147413155454377775A515856306147567564476C6A59585276636942426448526C6333526864476C76626A456D4D43514741315545417777645758566961574E764946557952694246525342545A584A70595777674E6A45334D7A41344D7A51775754415442676371686B6A4F5051494242676771686B6A4F50514D4242774E434141515A6E6F65634669323333446E75536B4B675268616C73776E2B79676B766472344A53506C746270584B354D786C7A56536757632B3978386D7A477973646242684565634C41596651597170564C57576F7348506F586F327777616A416942676B724267454541594C4543674945465445754D7934324C6A45754E4334784C6A51784E4467794C6A45754E7A4154426773724267454541594C6C4841494241515145417749454D444168426773724267454541594C6C4841454242415153424244364B356E636E6A6C4356342B53536A4453504545594D41774741315564457745422F7751434D4141774451594A4B6F5A496876634E4151454C425141446767454241436A727332662B30646A77346F6E7279702F32324164587867366135587978636F796248446A4B7537324532534E3971444773495A536644793338444446722F6246317332356A6F69753757413674796C4B4130486D45446C6F654A584A69576A76376832417A322F736971576E4A4F4C6963345845316C4143684A53325841716B536B39564647656C6733534C4F696966724265742B6562645177414C2B325146726352374A7258525147396B557937364F3256635367626450524F7348664F59657977617268616C7956535A2B364F4F594B2F512F444C49614F43306A58726E6B7A6D32796D4D5146516C4241497973725965454D3177786946627744742B6C416362634F4574484566355A6C576937356E557A6C576E386253782F35464F3454625A35684945635569475270694942454D525A6C4F496D345A49625A79636E2F764A4F465254567073305630533479677444633D225D2C22646973706C61794E616D65223A22597562696B65792035227D0100040701000501100006000000000000000000000000000000000F00070101000000000000000000000000000800080040230E430000400800099310993462F6D648".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.FIDO, key.Usage);
Assert.AreEqual(KeySource.AzureActiveDirectory, key.Source);
Assert.AreEqual(KeyFlags.Attestation, key.CustomKeyInfo.Flags);
Assert.AreEqual("WEe6PFT+3MT+pJ2VfR/4jQ==", key.Identifier);
}
public void KeyCredential_Parse_DeviceKey()
{
byte[] blob = "0002000020000173E6BEB8A9B5B0828388476E7BFDD5F8E7A113EC0807EF25C0FBCF39CEB4311120000299DA9872C6EB63882C1200B3B2BECCF3C582418F9FC56905963ADA62E52DF3B31B0103525341310008000003000000000100000000000000000000010001B40D7085917A30D2F0D434FEF57477099FFFEBC79F28EB414BB75C86B4B5CAC0D9E6ACA86EB8126EDB724AF40FD773A7F14732A7ED862A0828A367194FB3D61EC6EA15CB450597F3BAA64E4974B255D0819E06B58B47C858C384B88E27D0EA52F962A592B115EEA3AA21A6A5185DD58F5D779118717FD07C8CAF50F5F078BFC3AED355BB2F78E8C48C4F6DA2BD679CDCD1C0ED8320F5BC9EC6545E4E7CD9AA7642E180E2A3AD20BCCCF3C30A34BEDF27835528BE955A7599D42869339218936E78FF6D46BEEE0097F2DECB2791F7842BB55BA639A44F659F547B5AA1E959370ACBC908248D05893D539F7E4E6BE834CCF0A3101879717585D015992B3C9407410100040201000500100006E377F547D0D20A4A8ACAE0501098BDE40200070100080008405E47D3C301D401080009405E47D3C301D401".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.STK, key.Usage);
Assert.AreEqual(KeySource.ActiveDirectory, key.Source);
Assert.AreEqual("c+a+uKm1sIKDiEdue/3V+OehE+wIB+8lwPvPOc60MRE=", key.Identifier);
Assert.IsNotNull(key.CustomKeyInfo);
}
public void KeyCredential_Parse_UserKey1()
{
byte[] blob = "0002000020000120717AE052FCCF546AAD0D51E878AAD69CE04FDC39F5A8D8E3CEBA6BCB4DA0E720000214B7474E61C1001D3E546CFED8E387CFC1AC86A2CA7B3CDCF1267614585E2A341B0103525341310008000003000000000100000000000000000000010001C1A78914457758B0B13C70C710C7F8548F3F9ED56AD4640B6E6A112655C98ECAC1CBD68A298F5686C08439428A97FE6FDF58D78EA481905182BAD684C2D9C5CDE1CDE34AA19742E8BBF58B953EAC4C562FCF598CC176B02DBE9FFFEF5937A65815C236F92892F7E511A1FEDD5483CB33F1EA715D68106180DED2432A293367114A6E325E62F93F73D7ECE4B6A2BCDB829D95C8645C3073B94BA7CB7515CD29042F0967201C6E24A77821E92A6C756DF79841ACBAAE11D90CA03B9FCD24EF9E304B5D35248A7BD70557399960277058AE3E99C7C7E2284858B7BF8B08CDD286964186A50A7FCBCC6A24F00FEE5B9698BBD3B1AEAD0CE81FEA461C0ABD716843A50100040101000500100006E377F547D0D20A4A8ACAE0501098BDE40200070100080008417BD66E6603D401080009417BD66E6603D401".HexToBinary();
var key = new KeyCredential(blob);
Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
Assert.AreEqual(KeyUsage.NGC, key.Usage);
Assert.AreEqual(KeySource.ActiveDirectory, key.Source);
Assert.AreEqual("IHF64FL8z1RqrQ1R6Hiq1pzgT9w59ajY4866a8tNoOc=", key.Identifier);
Assert.AreEqual("47f577e3-d2d0-4a0a-8aca-e0501098bde4", key.DeviceId.ToString());
Assert.IsNotNull(key.CustomKeyInfo);
}
public void KeyCredential_Generate_FromPublicKey()
{
byte[] publicKey = "525341310008000003000000000100000000000000000000010001C1A78914457758B0B13C70C710C7F8548F3F9ED56AD4640B6E6A112655C98ECAC1CBD68A298F5686C08439428A97FE6FDF58D78EA481905182BAD684C2D9C5CDE1CDE34AA19742E8BBF58B953EAC4C562FCF598CC176B02DBE9FFFEF5937A65815C236F92892F7E511A1FEDD5483CB33F1EA715D68106180DED2432A293367114A6E325E62F93F73D7ECE4B6A2BCDB829D95C8645C3073B94BA7CB7515CD29042F0967201C6E24A77821E92A6C756DF79841ACBAAE11D90CA03B9FCD24EF9E304B5D35248A7BD70557399960277058AE3E99C7C7E2284858B7BF8B08CDD286964186A50A7FCBCC6A24F00FEE5B9698BBD3B1AEAD0CE81FEA461C0ABD716843A5".HexToBinary();
Guid deviceId = Guid.Parse("47f577e3-d2d0-4a0a-8aca-e0501098bde4");
DateTime creationTime = DateTime.FromFileTime(131734027581684545);
string expectedKeyCredentialBlob = "0002000020000120717AE052FCCF546AAD0D51E878AAD69CE04FDC39F5A8D8E3CEBA6BCB4DA0E720000214B7474E61C1001D3E546CFED8E387CFC1AC86A2CA7B3CDCF1267614585E2A341B0103525341310008000003000000000100000000000000000000010001C1A78914457758B0B13C70C710C7F8548F3F9ED56AD4640B6E6A112655C98ECAC1CBD68A298F5686C08439428A97FE6FDF58D78EA481905182BAD684C2D9C5CDE1CDE34AA19742E8BBF58B953EAC4C562FCF598CC176B02DBE9FFFEF5937A65815C236F92892F7E511A1FEDD5483CB33F1EA715D68106180DED2432A293367114A6E325E62F93F73D7ECE4B6A2BCDB829D95C8645C3073B94BA7CB7515CD29042F0967201C6E24A77821E92A6C756DF79841ACBAAE11D90CA03B9FCD24EF9E304B5D35248A7BD70557399960277058AE3E99C7C7E2284858B7BF8B08CDD286964186A50A7FCBCC6A24F00FEE5B9698BBD3B1AEAD0CE81FEA461C0ABD716843A50100040101000500100006E377F547D0D20A4A8ACAE0501098BDE40200070100080008417BD66E6603D401080009417BD66E6603D401";
var keyCredential = new KeyCredential(publicKey, deviceId, DummyDN, creationTime);
byte[] keyCredentialBlob = keyCredential.ToByteArray();
Assert.AreEqual(expectedKeyCredentialBlob, keyCredentialBlob.ToHex(true));
}
internal CertificateCredentialImpl(KeyCredential keyCredential)
: base(!String.IsNullOrEmpty(keyCredential.CustomKeyIdentifier) ? System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(keyCredential.CustomKeyIdentifier)) : keyCredential.KeyId, keyCredential)
{
if (!String.IsNullOrEmpty(keyCredential.CustomKeyIdentifier))
{
this.name = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(keyCredential.CustomKeyIdentifier));
}
else
{
this.name = keyCredential.KeyId;
}
}
private async Task <bool> SignInWithHelloAsync()
{
LookupUser();
// Open the existing user key credential.
KeyCredentialRetrievalResult retrieveResult = await KeyCredentialManager.OpenAsync(userId);
if (retrieveResult.Status != KeyCredentialStatus.Success)
{
return(false);
}
KeyCredential userCredential = retrieveResult.Credential;
// Request a challenge from the server.
JsonValue jsonChallenge = await JsonRequest.Create()
.AddString("userId", userId)
.AddString("publicKeyHint", publicKeyHint)
.PostAsync("api/Authentication/RequestChallenge");
if (jsonChallenge == null)
{
return(false);
}
// Sign the challenge using the user's KeyCredential.
IBuffer challengeBuffer = CryptographicBuffer.DecodeFromBase64String(jsonChallenge.GetString());
KeyCredentialOperationResult opResult = await userCredential.RequestSignAsync(challengeBuffer);
if (opResult.Status != KeyCredentialStatus.Success)
{
return(false);
}
// Get the signature.
IBuffer signatureBuffer = opResult.Result;
// Send the signature back to the server to confirm our identity.
// The publicKeyHint tells the server which public key to use to verify the signature.
JsonValue jsonResult = await JsonRequest.Create()
.AddString("userId", userId)
.AddString("publicKeyHint", publicKeyHint)
.AddString("signature", CryptographicBuffer.EncodeToBase64String(signatureBuffer))
.PostAsync("api/Authentication/SubmitResponse");
if (jsonResult == null)
{
return(false);
}
return(jsonResult.GetBoolean());
}
private async Task <IBuffer> GetPassportAuthenticationMessage(IBuffer message, string accountId)
{
KeyCredentialRetrievalResult openKeyResult = await KeyCredentialManager.OpenAsync(accountId);
if (openKeyResult.Status == KeyCredentialStatus.Success)
{
KeyCredential userKey = openKeyResult.Credential;
IBuffer publicKey = userKey.RetrievePublicKey();
KeyCredentialOperationResult signResult = await userKey.RequestSignAsync(message);
if (signResult.Status == KeyCredentialStatus.Success)
{
return(signResult.Result);
}
else if (signResult.Status == KeyCredentialStatus.UserCanceled)
{
// User cancelled the Passport PIN entry.
//
// We will return null below this and the username/password
// sign in form will show.
}
else if (signResult.Status == KeyCredentialStatus.NotFound)
{
// Must recreate Passport key
}
else if (signResult.Status == KeyCredentialStatus.SecurityDeviceLocked)
{
// Can't use Passport right now, remember that hardware failed and suggest restart
}
else if (signResult.Status == KeyCredentialStatus.UnknownError)
{
// Can't use Passport right now, try again later
}
return(null);
}
else if (openKeyResult.Status == KeyCredentialStatus.NotFound)
{
// Passport key lost, need to recreate it
//textblock_PassportStatusText.Text = "Microsoft Passport is almost ready!\nPlease go to Windows Settings and set up a PIN to use it.";
//grid_PassportStatus.Background = new SolidColorBrush(Color.FromArgb(255, 50, 170, 207));
//button_PassportSignIn.IsEnabled = false;
m_passportAvailable = false;
}
else
{
// Can't use Passport right now, try again later
}
return(null);
}
public override void ExecuteCmdlet()
{
ExecutionBlock(() =>
{
if (!string.IsNullOrEmpty(ServicePrincipalName))
{
ObjectId = ActiveDirectoryClient.GetObjectIdFromSPN(ServicePrincipalName);
}
#pragma warning disable 0618
if (!string.IsNullOrEmpty(Password))
#pragma warning restore 0618
{
// Create object for password credential
var passwordCredential = new PasswordCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
#pragma warning disable 0618
Value = Password
#pragma warning restore 0618
};
if (ShouldProcess(target: ObjectId, action: string.Format("Adding a new password to service principal with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateSpPasswordCredential(ObjectId, passwordCredential));
}
}
else if (!string.IsNullOrEmpty(CertValue))
{
// Create object for key credential
var keyCredential = new KeyCredential()
{
EndDate = EndDate,
StartDate = StartDate,
KeyId = Guid.NewGuid().ToString(),
Value = CertValue,
Type = "AsymmetricX509Cert",
Usage = "Verify"
};
if (ShouldProcess(target: ObjectId, action: string.Format("Adding a new caertificate to service principal with objectId {0}", ObjectId)))
{
WriteObject(ActiveDirectoryClient.CreateSpKeyCredential(ObjectId, keyCredential));
}
}
else
{
throw new InvalidOperationException("No valid keyCredential or passwordCredential to update!!");
}
});
}
