// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddCors(); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); services.Configure <AppSettings>(Configuration.GetSection("AppSettings")); services.AddHttpContextAccessor(); services.AddScoped <IUserService, UserService>(); services.AddAuthentication(a => { a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(x => { x.RequireHttpsMetadata = false; x.SaveToken = true; x.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new X509SecurityKey(CertificateUtilities.GetCertificate(Configuration.GetValue <string>("XCM_AUTH_CERT"))), ValidateIssuer = false, ValidateAudience = false }; }); }
public byte[] Decrypt(byte[] value) { // Load the certificate if not already loaded if (_publicKey == null || _privateKey == null) { var cert = CertificateUtilities.GetCertificateFromSerial(_state.Serial); if (cert == null || !cert.HasPrivateKey) { var pkcs = CertificateUtilities.GetPkcs11CertificateFromSerial(_state.Serial); if (pkcs == null) { throw new ArgumentException("A certificate with this serial could not be found.", nameof(_state.Serial)); } _publicKey = pkcs.GetRSAPublicKey(); _privateKey = pkcs.GetRSAPrivateKey(); } else { _publicKey = cert.PublicKey.Key; _privateKey = cert.PrivateKey as RSACng; } } if (_rawKey == null) { _rawKey = new RsaCryptoProvider(_privateKey).Decrypt(_state.ProviderKey); } // Decrypt the value return(new AesCryptoProvider(new CryptoKey(new CryptoKeyProtector("None", _rawKey))).Decrypt(value)); }
public async Task SimulateDevice(string deviceType, int messageDelay, int n, string caFile) { var producer = new IoTHubProducerCommands(CurrentContext, service); if (!String.IsNullOrWhiteSpace(caFile)) { Console.WriteLine($"Registering CA certificate: {caFile}"); var caCert = await CertificateUtilities.LoadPemCACertificate(caFile, null); CertificateUtilities.RegisterCert2(caCert); } if (string.Compare(deviceType, "temperature", true) == 0) { await producer. SimulateTemperatureSensor(messageDelay, n); } else if (string.Compare(deviceType, "temperature_pair", true) == 0) { await producer. SimulateTemperatureSensorPair(messageDelay, n); } else { Console.WriteLine($"No matching device type: {deviceType}"); } await Task.CompletedTask; }
public bool IsValid(AssertionModel assertionModel) { try { if (!_decodedJwtValidator.IsIShareCompliant(CreateTokenValidationArgs(assertionModel))) { return(false); } if (!IsRootCertificateTrusted(CertificateUtilities.FromBase64Der(assertionModel.Certificates.Last()))) { _logger.LogWarning("SO root certificate is untrusted."); return(false); } var x509Certificate = CertificateUtilities.FromBase64Der(assertionModel.Certificates.First()); var additionalCertificates = assertionModel.Certificates.Skip(1) .Select(CertificateUtilities.FromBase64Der) .ToArray(); return(IsChainValid(x509Certificate, additionalCertificates) && DoesBelongToSchemeOwner(x509Certificate)); } catch (Exception e) { _logger.LogError(e, "Error occurred while validating token response retrieved from Scheme Owner."); return(false); } }
private SafeguardA2AContext(string networkAddress, string certificateThumbprint, string certificatePath, SecureString certificatePassword, int apiVersion, bool ignoreSsl) { _networkAddress = networkAddress; // set cloning properties _certificateThumbprint = certificateThumbprint; _certificatePath = certificatePath; _certificatePassword = certificatePassword?.Copy(); _apiVersion = apiVersion; var safeguardA2AUrl = $"https://{_networkAddress}/service/a2a/v{_apiVersion}"; _a2AClient = new RestClient(safeguardA2AUrl); if (ignoreSsl) { _ignoreSsl = true; _a2AClient.RemoteCertificateValidationCallback += (sender, certificate, chain, errors) => true; } _clientCertificate = !string.IsNullOrEmpty(_certificateThumbprint) ? CertificateUtilities.GetClientCertificateFromStore(_certificateThumbprint) : CertificateUtilities.GetClientCertificateFromFile(_certificatePath, _certificatePassword); _a2AClient.ClientCertificates = new X509Certificate2Collection() { _clientCertificate }; }
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync() { ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync(); CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null); var serviceOptions = new TimestampServiceOptions() { Accuracy = accuracy }; TimestampService timestampService = TimestampService.Create(ca, serviceOptions); AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048); DateTimeOffset now = DateTimeOffset.UtcNow; var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, NotAfter = now.AddSeconds(10), NotBefore = now.AddSeconds(-2), SubjectName = new X509Name("CN=NuGet Test Expired Certificate") }; BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions); using (testServer.RegisterResponder(timestampService)) using (TestDirectory directory = TestDirectory.Create()) using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair)) { var packageContext = new SimpleTestPackageContext(); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, packageContext, directory, timestampService.Url); await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None); PackageVerificationResult result = results.Results.Single(); Assert.False(results.IsValid); Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust); Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error)); Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning)); Assert.Contains(result.Issues, issue => issue.Code == NuGetLogCode.NU3037 && issue.Level == LogLevel.Error && issue.Message.Contains("validity period has expired.")); } } }
public void FromPemFormat_FromBase64Der_BothCertsConvertedCorrectly() { var cert1 = CertificateUtilities.FromPemFormat(Constants.SchemeOwner.PublicKey); var cert2 = CertificateUtilities.FromBase64Der(Constants.SchemeOwner.PublicKeyBase64Der); var sha1 = cert1.GetSha256(); var sha2 = cert2.GetSha256(); sha1.Should().Be(sha2); }
public SafeguardEventListener(string eventUrl, X509Certificate2 clientCertificate, SecureString apiKey, bool ignoreSsl) : this(eventUrl, ignoreSsl) { _clientCertificate = CertificateUtilities.Copy(clientCertificate); if (apiKey == null) { throw new ArgumentException("Parameter may not be null", nameof(apiKey)); } _apiKey = apiKey.Copy(); }
public async Task IsValidAsync_ChainInvalid_ReturnsFalse() { var args = new CertificateValidationArgs( CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey), Constants.AbcParty.ClientId, new[] { CertificateUtilities.FromPemFormat(RandomCaPublicKey) }); var result = await _sut.IsValidAsync(args, "access_token_which_wont_be_used_here"); result.Should().BeFalse(); }
private static CertificateValidationArgs CreateValidArgs() { return(new CertificateValidationArgs( CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey), Constants.AbcParty.ClientId, new[] { CertificateUtilities.FromPemFormat(Constants.TestCertificateAuthority.IntermediateCaPublicKey), CertificateUtilities.FromPemFormat(Constants.TestCertificateAuthority.RootCaPublicKey) })); }
public FederationSecurityTokenServiceConfiguration() : base( WebConfigurationManager.AppSettings[ApplicationSettingsNames.IssuerName], new X509SigningCredentials( CertificateUtilities.GetCertificate( StoreName.My, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings[ApplicationSettingsNames.SigningCertificateName]))) { this.SecurityTokenService = typeof(FederationSecurityTokenService); this.DefaultTokenType = SecurityTokenTypes.Saml2TokenProfile11; }
public async Task <IActionResult> RegisterCertificateCallback([FromBody] SmartCardAuthorizationResponse smartCardAuthorizationResponse) { var sub = HttpContext.User.Claims.FirstOrDefault(x => x.Type == "sub")?.Value; if (string.IsNullOrEmpty(sub)) { return(Json(new { success = false })); } var user = await _users.FindByIdAsync(sub); if (smartCardAuthorizationResponse == null || string.IsNullOrEmpty(smartCardAuthorizationResponse.Certificate) || string.IsNullOrEmpty(smartCardAuthorizationResponse.Token)) { return(Json(new { success = false })); } var certificate = CertificateUtilities.GetAndValidateCertificate(smartCardAuthorizationResponse.Certificate); if (certificate == null) { return(Json(new { success = false })); } if (_authContext.UserCertificates.FirstOrDefault(x => x.Thumbprint == certificate.Thumbprint) != null) { return(Json(new { success = false })); } var payload = HttpContext.Session.GetString("certificateRegister.challenge"); var verifyResult = JwtUtils.ValidateJWT( certificate, smartCardAuthorizationResponse.Token, smartCardAuthorizationResponse.Algorithm, payload); if (verifyResult) { var dbuser = _authContext.Users.First(u => u.Id == user.Id); var userCert = new UserCertificate() { Certificate = Convert.ToBase64String(certificate.RawData), Thumbprint = certificate.Thumbprint, User = dbuser, RegistrationDate = DateTime.Now, Subject = certificate.Subject }; _authContext.UserCertificates.Add(userCert); _authContext.SaveChanges(); return(Json(new { success = true })); } return(Json(new { success = false })); }
public IOutboundTransport CreateTransport() { if (ServerCertificate == null && !string.IsNullOrEmpty(_certificatePath)) { lock (this) ServerCertificate = (string.IsNullOrEmpty(CertificatePassword)) ? CertificateUtilities.LoadCertificate(_certificatePath) : CertificateUtilities.LoadCertificate(_certificatePath, CertificatePassword); } return(new SyslogTlsTransport(ServerCertificate, ValidateClientCertificate) { Log = Log }); }
public byte[] Encrypt(byte[] value) { // Generate the key if not already present if (_state.ProviderKey == null) { if (_rawKey == null) { _rawKey = CertificateUtilities.GenerateEncryptionKey(_publicKey.KeySize); } _state.ProviderKey = new RsaCryptoProvider(_privateKey).Encrypt(_rawKey); } // Encrypt the value return(new AesCryptoProvider(new CryptoKey(new CryptoKeyProtector("None", _rawKey))).Encrypt(value)); }
private async Task <X509Certificate2> CreateDefaultRepositorySigningCertificateAsync() { var ca = await CreateDefaultTrustedCertificateAuthorityAsync(); var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048); var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, NotBefore = DateTimeOffset.UtcNow.AddSeconds(-2), NotAfter = DateTimeOffset.UtcNow.AddHours(1), SubjectName = new X509Name("CN=NuGet Cross Verify Test Repository Signning Certificate") }; var bcCertificate = ca.IssueCertificate(issueOptions); return(CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair)); }
private TestUtilities DefaultUtilities() { TestUtilities utils = new TestUtilities(); CertificateUtilities certificateUtilities = new CertificateUtilities(); ConfigurationOptions config = utils.Collector.Config; // verify test credentials work AzureResourceManager arm = new AzureResourceManager(config); _appCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.AzureClientCertificate); //_appCertificate = new X509Certificate2(Convert.FromBase64String(TestUtilities.TestProperties.AzureClientCertificate), // TestUtilities.TestProperties.adminPassword, // X509KeyStorageFlags.Exportable); Assert.IsNotNull(_appCertificate); _clientCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.testAzClientCertificate); //_clientCertificate = new X509Certificate2(Convert.FromBase64String(TestUtilities.TestProperties.testAzClientCertificate), // TestUtilities.TestProperties.adminPassword, // X509KeyStorageFlags.Exportable); Assert.IsNotNull(_clientCertificate); config.AzureResourceGroup = TestUtilities.TestProperties.AzureResourceGroup; config.AzureResourceGroupLocation = TestUtilities.TestProperties.AzureResourceGroupLocation; config.AzureSubscriptionId = TestUtilities.TestProperties.AzureSubscriptionId; config.AzureTenantId = TestUtilities.TestProperties.AzureTenantId; // config.AzureClientSecret = TestUtilities.TestProperties.AzureClientSecret; config.AzureClientId = TestUtilities.TestProperties.testAzClientId; config.AzureClientCertificate = TestUtilities.TestProperties.testAzClientCertificate; arm.Authenticate(true); config.SasKey = TestUtilities.TestProperties.SasKey; config.CacheLocation = TestUtilities.TempDir; config.StartTimeStamp = DateTime.MinValue.ToString("o"); config.EndTimeStamp = DateTime.Now.ToString("o"); config.AzureClientId = TestUtilities.TestProperties.AzureClientId; config.AzureClientCertificate = TestUtilities.TestProperties.AzureClientCertificate; config.AzureClientSecret = TestUtilities.TestProperties.AzureClientSecret; config.AzureKeyVault = TestUtilities.TestProperties.AzureKeyVault; config.List = true; config.GatherType = FileTypesEnum.trace.ToString(); return(utils); }
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync() { CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync(); TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync(); AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048); DateTimeOffset now = DateTimeOffset.UtcNow; var issueOptions = new IssueCertificateOptions() { KeyPair = keyPair, NotAfter = now.AddSeconds(10), NotBefore = now.AddSeconds(-2), SubjectName = new X509Name("CN=NuGet Test Expired Certificate") }; BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions); using (TestDirectory directory = TestDirectory.Create()) using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair)) { var packageContext = new SimpleTestPackageContext(); string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync( certificate, packageContext, directory, timestampService.Url); await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate); var verifier = new PackageSignatureVerifier(_trustProviders); using (var packageReader = new PackageArchiveReader(signedPackagePath)) { VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None); PackageVerificationResult trustProvider = result.Results.Single(); Assert.True(result.IsValid); Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust); Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error)); Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning)); } } }
public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue() { var sut = new JwtCertificateValidator( _partiesQueryServiceMock.Object, _trustedListQueryServiceMock.Object, new ProductionCaStrategy(), _loggerMock.Object); var args = new CertificateValidationArgs( CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der), Constants.SchemeOwner.ClientId, new[] { CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der) }); var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None); result.Should().BeTrue(); }
/// <summary> /// Implements IConfigurable.SetConfigurationParameter /// </summary> public override void SetConfigurationParameter(string key, string value) { if (Disposed) { throw new ObjectDisposedException(GetType().FullName); } switch (key) { case "ip": { IpAddress = value; break; } case "port": { Port = int.Parse(value); break; } case "certificate": { try { Certificate = CertificateUtilities.LoadCertificate(value); } catch (LogbusException ex) { throw new LogbusConfigurationException("Invalid certificate configuration", ex); } _certificatePath = value; break; } default: { throw new NotSupportedException("Configuration parameter is not supported"); } } }
public async Task <IActionResult> CreateDigitalSignature([FromForm] string payload) { // var payload = "maj pejloud"; var certificate = CertificateUtilities.GetCertificateFromSmartCard(); if (certificate == null) { return(new BadRequestResult()); } (string token, string algorithm) = JWSUtilities.CreateSignature(certificate, payload); var response = new SignatureResponse(); response.Token = token; response.Certificate = Convert.ToBase64String(certificate.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)); response.Algorithm = algorithm; HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", "https://localhost:37101"); HttpContext.Response.Headers.Add("Access-Control-Allow-Methods", "POST"); HttpContext.Response.Headers.Add("Access-Control-Allow-Headers", "Content-Type"); return(new ObjectResult(response)); }
public void AzureClientCertificateX509withPassword() { TestUtilities utils = DefaultUtilities(); ConfigurationOptions config = utils.ConfigurationOptions; utils.ConfigurationOptions.Validate(); DeleteTokenCache(); ProcessOutput results = utils.ExecuteTest((config) => { CertificateUtilities certificateUtilities = new CertificateUtilities(); certificateUtilities.SetSecurePassword(TestUtilities.TestProperties.testAdminPassword); config.ClientCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.AzureClientCertificate);// _appCertificate; config.AzureKeyVault = ""; Assert.IsTrue(config.IsClientIdConfigured(), "test configuration invalid"); return(config.ValidateAad()); }, utils.Collector.Config); Assert.IsTrue(results.ExitBool); Assert.IsTrue(!results.HasErrors(), results.ToString()); }
protected override SecureString GetRstsTokenInternal() { if (_disposed) { throw new ObjectDisposedException("CertificateAuthenticator"); } var request = new RestRequest("oauth2/token", RestSharp.Method.POST) .AddHeader("Accept", "application/json") .AddHeader("Content-type", "application/json") .AddJsonBody(new { grant_type = "client_credentials", scope = "rsts:sts:primaryproviderid:certificate" }); var userCert = !string.IsNullOrEmpty(_certificateThumbprint) ? CertificateUtilities.GetClientCertificateFromStore(_certificateThumbprint) : CertificateUtilities.GetClientCertificateFromFile(_certificatePath, _certificatePassword); RstsClient.ClientCertificates = new X509Certificate2Collection() { userCert }; var response = RstsClient.Execute(request); if (response.ResponseStatus != ResponseStatus.Completed) { throw new SafeguardDotNetException($"Unable to connect to RSTS service {RstsClient.BaseUrl}, Error: " + response.ErrorMessage); } if (!response.IsSuccessful) { throw new SafeguardDotNetException("Error using client_credentials grant_type with " + $"{(string.IsNullOrEmpty(_certificatePath) ? $"thumbprint={_certificateThumbprint}" : $"file={_certificatePath}")}" + $", Error: {response.StatusCode} {response.Content}", response.Content); }
public void LoadIdpPublicKey(string certificateStr) { _idpPublicKey = CertificateUtilities.LoadCertificate(certificateStr); }
private void terminateToolStripMenuItem1_Click(object sender, EventArgs e) { if (lstItems.SelectedItems.Count <= 0) { return; } EnrolledYubikey item = lstItems.SelectedItems[0].Tag as EnrolledYubikey; if (item == null) { return; } X509Certificate2 currentCert = new X509Certificate2(item.Certificate.RawCertificate); DialogResult dlgResult = MessageBox.Show("This will terminate the Yubikey, wiping the PIN, PUK, Management Key and Certificates. " + "This will also revoke the certificate. Proceeed?" + Environment.NewLine + Environment.NewLine + "Will revoke: " + currentCert.Subject + Environment.NewLine + "By: " + currentCert.Issuer, "Terminate (WILL revoke)", MessageBoxButtons.YesNo, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button2); if (dlgResult != DialogResult.Yes) { return; } DlgPleaseInsertYubikey yubiWaiter = new DlgPleaseInsertYubikey(item); DialogResult result = yubiWaiter.ShowDialog(); if (result != DialogResult.OK) { return; } DlgProgress prg = new DlgProgress("Terminating certificate"); prg.WorkerAction = worker => { worker.ReportProgress(20, "Revoking certificate ..."); // Begin try { CertificateUtilities.RevokeCertificate(item.CA, item.Certificate.Serial); // Revoked _dataStore.Remove(item); } catch (Exception ex) { MessageBox.Show( "Unable to revoke certificate " + item.Certificate.Serial + " of " + item.CA + " enrolled on " + item.EnrolledAt + ". There was an error." + Environment.NewLine + Environment.NewLine + ex.Message, "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning); return; } // Wipe the Yubikey worker.ReportProgress(50, "Wiping Yubikey ..."); string devName = YubikeyPivManager.Instance.ListDevices().FirstOrDefault(); bool hasDevice = !string.IsNullOrEmpty(devName); if (hasDevice) { using (YubikeyPivDevice dev = YubikeyPivManager.Instance.OpenDevice(devName)) { int serial = (int)dev.GetSerialNumber(); if (item.DeviceSerial != serial) { // Something went seriously wrong - perhaps the user switched keys? MessageBox.Show("Unable to reset the yubikey. The inserted key did not match the key you wanted to wipe.", "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning); return; } } using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName)) { piv.BlockPin(); worker.ReportProgress(70); piv.BlockPuk(); worker.ReportProgress(90); bool reset = piv.ResetDevice(); if (!reset) { MessageBox.Show("Unable to reset the yubikey. Try resetting it manually.", "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning); } worker.ReportProgress(100); } } // Write to disk _dataStore.Save(FileStore); }; prg.ShowDialog(); RefreshUserStore(); RefreshInsertedKey(); }
private void EnrollWorkerOnDoWork(object sender, DoWorkEventArgs doWorkEventArgs) { string devName = YubikeyNeoManager.Instance.ListDevices().FirstOrDefault(); bool hasDevice = !string.IsNullOrEmpty(devName); if (!hasDevice) { throw new InvalidOperationException("No yubikey"); } // 0. Get lock on yubikey using (YubikeyNeoDevice dev = YubikeyNeoManager.Instance.OpenDevice(devName)) { // 1. Prep device info int deviceId = dev.GetSerialNumber(); string neoFirmware = dev.GetVersion().ToString(); Version pivFirmware; using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName)) pivFirmware = piv.GetVersion(); _enrollWorker.ReportProgress(1); // 2 - Generate PUK, prep PIN byte[] randomKey = Utilities.GenerateRandomKey(); string puk = Utilities.MapBytesToString(randomKey.Take(8).ToArray()); string pin = txtPin.Text; _enrollWorker.ReportProgress(2); // 3 - Prep CA WindowsCertificate enrollmentAgent = WindowsCertStoreUtilities.FindCertificate(_settings.EnrollmentAgentCertificate); string ca = _settings.CSREndpoint; string caTemplate = _settings.EnrollmentCaTemplate; string user = txtUser.Text; if (enrollmentAgent == null) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to find the certificate with thumbprint: " + _settings.EnrollmentAgentCertificate; return; } _enrollWorker.ReportProgress(3); // 4 - Prep Management Key // TODO: Consider a new key every time? byte[] mgmKey = _settings.EnrollmentManagementKey; _enrollWorker.ReportProgress(4); RSAParameters publicKey; X509Certificate2 cert; byte[] chuid; using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName)) { // 5 - Yubico: Reset device pivTool.BlockPin(); pivTool.BlockPuk(); bool reset = pivTool.ResetDevice(); if (!reset) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to reset the YubiKey"; return; } _enrollWorker.ReportProgress(5); // 6 - Yubico: Management Key bool authenticated = pivTool.Authenticate(YubikeyPivDevice.DefaultManagementKey); if (!authenticated) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to authenticate with the YubiKey"; return; } bool setMgmKey = pivTool.SetManagementKey(mgmKey); if (!setMgmKey) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the management key"; return; } _enrollWorker.ReportProgress(6); // 7 - Yubico: Set CHUID bool setChuid = pivTool.SetCHUID(Guid.NewGuid(), out chuid); if (!setChuid) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set CHUID"; return; } _enrollWorker.ReportProgress(7); // 8 - Yubico: PIN int tmp; bool setPin = pivTool.ChangePin(YubikeyPivDevice.DefaultPin, pin, out tmp); if (!setPin) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the PIN code"; return; } _enrollWorker.ReportProgress(8); // 9 - Yubico: PUK bool setPuk = pivTool.ChangePuk(YubikeyPivDevice.DefaultPuk, puk, out tmp); if (!setPuk) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to set the PUK code"; return; } _enrollWorker.ReportProgress(9); // 10 - Yubico: Generate Key YubikeyAlgorithm algorithm = (YubikeyAlgorithm)drpAlgorithm.SelectedItem; bool keyGenerated = pivTool.GenerateKey9a(algorithm.Value, out publicKey); if (!keyGenerated) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to generate a keypair"; return; } _enrollWorker.ReportProgress(10); } // 11 - Yubico: Make CSR string csr; string csrError; bool madeCsr = MakeCsr(Utilities.ExportPublicKeyToPEMFormat(publicKey), pin, out csrError, out csr); if (!madeCsr) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to generate a CSR" + Environment.NewLine + csrError; return; } _enrollWorker.ReportProgress(11); // 12 - Enroll string enrollError; bool enrolled = CertificateUtilities.Enroll(user, enrollmentAgent, ca, caTemplate, csr, out enrollError, out cert); if (!enrolled) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to enroll a certificate." + Environment.NewLine + enrollError; return; } _enrollWorker.ReportProgress(12); using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName)) { // 13 - Yubico: Import Cert bool authenticatedForCert = pivTool.Authenticate(mgmKey); if (!authenticatedForCert) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = "Unable to authenticate prior to importing a certificate"; return; } YubicoPivReturnCode imported = pivTool.SetCertificate9a(cert); if (imported != YubicoPivReturnCode.YKPIV_OK) { doWorkEventArgs.Cancel = true; _enrollWorkerMessage = $"Unable to import a certificate, return code {imported}"; return; } _enrollWorker.ReportProgress(13); } // 14 - Create enrolled item EnrolledYubikey newEnrollment = new EnrolledYubikey(); newEnrollment.DeviceSerial = deviceId; newEnrollment.Certificate.Serial = cert.SerialNumber; newEnrollment.Certificate.Thumbprint = cert.Thumbprint; newEnrollment.Certificate.Subject = cert.Subject; newEnrollment.Certificate.Issuer = cert.Issuer; newEnrollment.Certificate.StartDate = cert.NotBefore; newEnrollment.Certificate.ExpireDate = cert.NotAfter; newEnrollment.Certificate.RawCertificate = cert.RawData; newEnrollment.CA = ca; newEnrollment.Username = user; newEnrollment.ManagementKey = mgmKey; newEnrollment.PukKey = puk; newEnrollment.Chuid = BitConverter.ToString(chuid).Replace("-", ""); newEnrollment.EnrolledAt = DateTime.UtcNow; newEnrollment.YubikeyVersions.NeoFirmware = neoFirmware; newEnrollment.YubikeyVersions.PivApplet = pivFirmware.ToString(); _dataStore.Add(newEnrollment); _enrollWorker.ReportProgress(14); // 15 - Save store _dataStore.Save(MainForm.FileStore); _enrollWorker.ReportProgress(15); // Report doWorkEventArgs.Cancel = false; _enrollWorkerMessage = "Success"; } }