// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.Configure <AppSettings>(Configuration.GetSection("AppSettings"));
services.AddHttpContextAccessor();
services.AddScoped <IUserService, UserService>();
services.AddAuthentication(a =>
{
a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
x.RequireHttpsMetadata = false;
x.SaveToken = true;
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new X509SecurityKey(CertificateUtilities.GetCertificate(Configuration.GetValue <string>("XCM_AUTH_CERT"))),
ValidateIssuer = false,
ValidateAudience = false
};
});
}
public byte[] Decrypt(byte[] value)
{
// Load the certificate if not already loaded
if (_publicKey == null || _privateKey == null)
{
var cert = CertificateUtilities.GetCertificateFromSerial(_state.Serial);
if (cert == null || !cert.HasPrivateKey)
{
var pkcs = CertificateUtilities.GetPkcs11CertificateFromSerial(_state.Serial);
if (pkcs == null)
{
throw new ArgumentException("A certificate with this serial could not be found.", nameof(_state.Serial));
}
_publicKey = pkcs.GetRSAPublicKey();
_privateKey = pkcs.GetRSAPrivateKey();
}
else
{
_publicKey = cert.PublicKey.Key;
_privateKey = cert.PrivateKey as RSACng;
}
}
if (_rawKey == null)
{
_rawKey = new RsaCryptoProvider(_privateKey).Decrypt(_state.ProviderKey);
}
// Decrypt the value
return(new AesCryptoProvider(new CryptoKey(new CryptoKeyProtector("None", _rawKey))).Decrypt(value));
}
public async Task SimulateDevice(string deviceType, int messageDelay, int n, string caFile)
{
var producer = new IoTHubProducerCommands(CurrentContext, service);
if (!String.IsNullOrWhiteSpace(caFile))
{
Console.WriteLine($"Registering CA certificate: {caFile}");
var caCert = await CertificateUtilities.LoadPemCACertificate(caFile, null);
CertificateUtilities.RegisterCert2(caCert);
}
if (string.Compare(deviceType, "temperature", true) == 0)
{
await producer.
SimulateTemperatureSensor(messageDelay, n);
}
else if (string.Compare(deviceType, "temperature_pair", true) == 0)
{
await producer.
SimulateTemperatureSensorPair(messageDelay, n);
}
else
{
Console.WriteLine($"No matching device type: {deviceType}");
}
await Task.CompletedTask;
}
public bool IsValid(AssertionModel assertionModel)
{
try
{
if (!_decodedJwtValidator.IsIShareCompliant(CreateTokenValidationArgs(assertionModel)))
{
return(false);
}
if (!IsRootCertificateTrusted(CertificateUtilities.FromBase64Der(assertionModel.Certificates.Last())))
{
_logger.LogWarning("SO root certificate is untrusted.");
return(false);
}
var x509Certificate = CertificateUtilities.FromBase64Der(assertionModel.Certificates.First());
var additionalCertificates = assertionModel.Certificates.Skip(1)
.Select(CertificateUtilities.FromBase64Der)
.ToArray();
return(IsChainValid(x509Certificate, additionalCertificates) && DoesBelongToSchemeOwner(x509Certificate));
}
catch (Exception e)
{
_logger.LogError(e, "Error occurred while validating token response retrieved from Scheme Owner.");
return(false);
}
}
private SafeguardA2AContext(string networkAddress, string certificateThumbprint, string certificatePath,
SecureString certificatePassword, int apiVersion, bool ignoreSsl)
{
_networkAddress = networkAddress;
// set cloning properties
_certificateThumbprint = certificateThumbprint;
_certificatePath = certificatePath;
_certificatePassword = certificatePassword?.Copy();
_apiVersion = apiVersion;
var safeguardA2AUrl = $"https://{_networkAddress}/service/a2a/v{_apiVersion}";
_a2AClient = new RestClient(safeguardA2AUrl);
if (ignoreSsl)
{
_ignoreSsl = true;
_a2AClient.RemoteCertificateValidationCallback += (sender, certificate, chain, errors) => true;
}
_clientCertificate = !string.IsNullOrEmpty(_certificateThumbprint)
? CertificateUtilities.GetClientCertificateFromStore(_certificateThumbprint)
: CertificateUtilities.GetClientCertificateFromFile(_certificatePath, _certificatePassword);
_a2AClient.ClientCertificates = new X509Certificate2Collection()
{
_clientCertificate
};
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestampWithTooLargeRange_FailsAsync()
{
ISigningTestServer testServer = await _testFixture.GetSigningTestServerAsync();
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var accuracy = new BcAccuracy(seconds: new DerInteger(30), millis: null, micros: null);
var serviceOptions = new TimestampServiceOptions()
{
Accuracy = accuracy
};
TimestampService timestampService = TimestampService.Create(ca, serviceOptions);
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (testServer.RegisterResponder(timestampService))
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult results = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult result = results.Results.Single();
Assert.False(results.IsValid);
Assert.Equal(SignatureVerificationStatus.Disallowed, result.Trust);
Assert.Equal(1, result.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, result.Issues.Count(issue => issue.Level == LogLevel.Warning));
Assert.Contains(result.Issues, issue =>
issue.Code == NuGetLogCode.NU3037 &&
issue.Level == LogLevel.Error &&
issue.Message.Contains("validity period has expired."));
}
}
}
public void FromPemFormat_FromBase64Der_BothCertsConvertedCorrectly()
{
var cert1 = CertificateUtilities.FromPemFormat(Constants.SchemeOwner.PublicKey);
var cert2 = CertificateUtilities.FromBase64Der(Constants.SchemeOwner.PublicKeyBase64Der);
var sha1 = cert1.GetSha256();
var sha2 = cert2.GetSha256();
sha1.Should().Be(sha2);
}
public SafeguardEventListener(string eventUrl, X509Certificate2 clientCertificate, SecureString apiKey,
bool ignoreSsl) : this(eventUrl, ignoreSsl)
{
_clientCertificate = CertificateUtilities.Copy(clientCertificate);
if (apiKey == null)
{
throw new ArgumentException("Parameter may not be null", nameof(apiKey));
}
_apiKey = apiKey.Copy();
}
public async Task IsValidAsync_ChainInvalid_ReturnsFalse()
{
var args = new CertificateValidationArgs(
CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey),
Constants.AbcParty.ClientId,
new[] { CertificateUtilities.FromPemFormat(RandomCaPublicKey) });
var result = await _sut.IsValidAsync(args, "access_token_which_wont_be_used_here");
result.Should().BeFalse();
}
private static CertificateValidationArgs CreateValidArgs()
{
return(new CertificateValidationArgs(
CertificateUtilities.FromPemFormat(Constants.AbcParty.PublicKey),
Constants.AbcParty.ClientId,
new[]
{
CertificateUtilities.FromPemFormat(Constants.TestCertificateAuthority.IntermediateCaPublicKey),
CertificateUtilities.FromPemFormat(Constants.TestCertificateAuthority.RootCaPublicKey)
}));
}
public FederationSecurityTokenServiceConfiguration()
: base(
WebConfigurationManager.AppSettings[ApplicationSettingsNames.IssuerName],
new X509SigningCredentials(
CertificateUtilities.GetCertificate(
StoreName.My,
StoreLocation.LocalMachine,
WebConfigurationManager.AppSettings[ApplicationSettingsNames.SigningCertificateName])))
{
this.SecurityTokenService = typeof(FederationSecurityTokenService);
this.DefaultTokenType = SecurityTokenTypes.Saml2TokenProfile11;
}
public async Task <IActionResult> RegisterCertificateCallback([FromBody] SmartCardAuthorizationResponse smartCardAuthorizationResponse)
{
var sub = HttpContext.User.Claims.FirstOrDefault(x => x.Type == "sub")?.Value;
if (string.IsNullOrEmpty(sub))
{
return(Json(new { success = false }));
}
var user = await _users.FindByIdAsync(sub);
if (smartCardAuthorizationResponse == null || string.IsNullOrEmpty(smartCardAuthorizationResponse.Certificate) || string.IsNullOrEmpty(smartCardAuthorizationResponse.Token))
{
return(Json(new { success = false }));
}
var certificate = CertificateUtilities.GetAndValidateCertificate(smartCardAuthorizationResponse.Certificate);
if (certificate == null)
{
return(Json(new { success = false }));
}
if (_authContext.UserCertificates.FirstOrDefault(x => x.Thumbprint == certificate.Thumbprint) != null)
{
return(Json(new { success = false }));
}
var payload = HttpContext.Session.GetString("certificateRegister.challenge");
var verifyResult = JwtUtils.ValidateJWT(
certificate,
smartCardAuthorizationResponse.Token,
smartCardAuthorizationResponse.Algorithm,
payload);
if (verifyResult)
{
var dbuser = _authContext.Users.First(u => u.Id == user.Id);
var userCert = new UserCertificate()
{
Certificate = Convert.ToBase64String(certificate.RawData),
Thumbprint = certificate.Thumbprint,
User = dbuser,
RegistrationDate = DateTime.Now,
Subject = certificate.Subject
};
_authContext.UserCertificates.Add(userCert);
_authContext.SaveChanges();
return(Json(new { success = true }));
}
return(Json(new { success = false }));
}
public IOutboundTransport CreateTransport()
{
if (ServerCertificate == null && !string.IsNullOrEmpty(_certificatePath))
{
lock (this)
ServerCertificate = (string.IsNullOrEmpty(CertificatePassword))
? CertificateUtilities.LoadCertificate(_certificatePath)
: CertificateUtilities.LoadCertificate(_certificatePath, CertificatePassword);
}
return(new SyslogTlsTransport(ServerCertificate, ValidateClientCertificate)
{
Log = Log
});
}
public byte[] Encrypt(byte[] value)
{
// Generate the key if not already present
if (_state.ProviderKey == null)
{
if (_rawKey == null)
{
_rawKey = CertificateUtilities.GenerateEncryptionKey(_publicKey.KeySize);
}
_state.ProviderKey = new RsaCryptoProvider(_privateKey).Encrypt(_rawKey);
}
// Encrypt the value
return(new AesCryptoProvider(new CryptoKey(new CryptoKeyProtector("None", _rawKey))).Encrypt(value));
}
private async Task <X509Certificate2> CreateDefaultRepositorySigningCertificateAsync()
{
var ca = await CreateDefaultTrustedCertificateAuthorityAsync();
var keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotBefore = DateTimeOffset.UtcNow.AddSeconds(-2),
NotAfter = DateTimeOffset.UtcNow.AddHours(1),
SubjectName = new X509Name("CN=NuGet Cross Verify Test Repository Signning Certificate")
};
var bcCertificate = ca.IssueCertificate(issueOptions);
return(CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair));
}
private TestUtilities DefaultUtilities()
{
TestUtilities utils = new TestUtilities();
CertificateUtilities certificateUtilities = new CertificateUtilities();
ConfigurationOptions config = utils.Collector.Config;
// verify test credentials work
AzureResourceManager arm = new AzureResourceManager(config);
_appCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.AzureClientCertificate);
//_appCertificate = new X509Certificate2(Convert.FromBase64String(TestUtilities.TestProperties.AzureClientCertificate),
// TestUtilities.TestProperties.adminPassword,
// X509KeyStorageFlags.Exportable);
Assert.IsNotNull(_appCertificate);
_clientCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.testAzClientCertificate);
//_clientCertificate = new X509Certificate2(Convert.FromBase64String(TestUtilities.TestProperties.testAzClientCertificate),
// TestUtilities.TestProperties.adminPassword,
// X509KeyStorageFlags.Exportable);
Assert.IsNotNull(_clientCertificate);
config.AzureResourceGroup = TestUtilities.TestProperties.AzureResourceGroup;
config.AzureResourceGroupLocation = TestUtilities.TestProperties.AzureResourceGroupLocation;
config.AzureSubscriptionId = TestUtilities.TestProperties.AzureSubscriptionId;
config.AzureTenantId = TestUtilities.TestProperties.AzureTenantId;
// config.AzureClientSecret = TestUtilities.TestProperties.AzureClientSecret;
config.AzureClientId = TestUtilities.TestProperties.testAzClientId;
config.AzureClientCertificate = TestUtilities.TestProperties.testAzClientCertificate;
arm.Authenticate(true);
config.SasKey = TestUtilities.TestProperties.SasKey;
config.CacheLocation = TestUtilities.TempDir;
config.StartTimeStamp = DateTime.MinValue.ToString("o");
config.EndTimeStamp = DateTime.Now.ToString("o");
config.AzureClientId = TestUtilities.TestProperties.AzureClientId;
config.AzureClientCertificate = TestUtilities.TestProperties.AzureClientCertificate;
config.AzureClientSecret = TestUtilities.TestProperties.AzureClientSecret;
config.AzureKeyVault = TestUtilities.TestProperties.AzureKeyVault;
config.List = true;
config.GatherType = FileTypesEnum.trace.ToString();
return(utils);
}
public async Task VerifySignaturesAsync_ExpiredCertificateAndTimestamp_SuccessAsync()
{
CertificateAuthority ca = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
TimestampService timestampService = await _testFixture.GetDefaultTrustedTimestampServiceAsync();
AsymmetricCipherKeyPair keyPair = SigningTestUtility.GenerateKeyPair(publicKeyLength: 2048);
DateTimeOffset now = DateTimeOffset.UtcNow;
var issueOptions = new IssueCertificateOptions()
{
KeyPair = keyPair,
NotAfter = now.AddSeconds(10),
NotBefore = now.AddSeconds(-2),
SubjectName = new X509Name("CN=NuGet Test Expired Certificate")
};
BcX509Certificate bcCertificate = ca.IssueCertificate(issueOptions);
using (TestDirectory directory = TestDirectory.Create())
using (X509Certificate2 certificate = CertificateUtilities.GetCertificateWithPrivateKey(bcCertificate, keyPair))
{
var packageContext = new SimpleTestPackageContext();
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(
certificate,
packageContext,
directory,
timestampService.Url);
await SignatureTestUtility.WaitForCertificateExpirationAsync(certificate);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
VerifySignaturesResult result = await verifier.VerifySignaturesAsync(packageReader, _verifyCommandSettings, CancellationToken.None);
PackageVerificationResult trustProvider = result.Results.Single();
Assert.True(result.IsValid);
Assert.Equal(SignatureVerificationStatus.Valid, trustProvider.Trust);
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Error));
Assert.Equal(0, trustProvider.Issues.Count(issue => issue.Level == LogLevel.Warning));
}
}
}
public async Task IsValidAsync_ValidAndTrusted_ReturnsTrue()
{
var sut = new JwtCertificateValidator(
_partiesQueryServiceMock.Object,
_trustedListQueryServiceMock.Object,
new ProductionCaStrategy(),
_loggerMock.Object);
var args = new CertificateValidationArgs(
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.PublicKeyBase64Der),
Constants.SchemeOwner.ClientId,
new[]
{
CertificateUtilities.FromBase64Der(Constants.TrustedCertificates.RootCaPublicKeyBase64Der)
});
var result = await sut.IsValidAsync(args, "access_token", CancellationToken.None);
result.Should().BeTrue();
}
/// <summary>
/// Implements IConfigurable.SetConfigurationParameter
/// </summary>
public override void SetConfigurationParameter(string key, string value)
{
if (Disposed)
{
throw new ObjectDisposedException(GetType().FullName);
}
switch (key)
{
case "ip":
{
IpAddress = value;
break;
}
case "port":
{
Port = int.Parse(value);
break;
}
case "certificate":
{
try
{
Certificate = CertificateUtilities.LoadCertificate(value);
}
catch (LogbusException ex)
{
throw new LogbusConfigurationException("Invalid certificate configuration", ex);
}
_certificatePath = value;
break;
}
default:
{
throw new NotSupportedException("Configuration parameter is not supported");
}
}
}
public async Task <IActionResult> CreateDigitalSignature([FromForm] string payload)
{
// var payload = "maj pejloud";
var certificate = CertificateUtilities.GetCertificateFromSmartCard();
if (certificate == null)
{
return(new BadRequestResult());
}
(string token, string algorithm) = JWSUtilities.CreateSignature(certificate, payload);
var response = new SignatureResponse();
response.Token = token;
response.Certificate = Convert.ToBase64String(certificate.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert));
response.Algorithm = algorithm;
HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", "https://localhost:37101");
HttpContext.Response.Headers.Add("Access-Control-Allow-Methods", "POST");
HttpContext.Response.Headers.Add("Access-Control-Allow-Headers", "Content-Type");
return(new ObjectResult(response));
}
public void AzureClientCertificateX509withPassword()
{
TestUtilities utils = DefaultUtilities();
ConfigurationOptions config = utils.ConfigurationOptions;
utils.ConfigurationOptions.Validate();
DeleteTokenCache();
ProcessOutput results = utils.ExecuteTest((config) =>
{
CertificateUtilities certificateUtilities = new CertificateUtilities();
certificateUtilities.SetSecurePassword(TestUtilities.TestProperties.testAdminPassword);
config.ClientCertificate = certificateUtilities.GetClientCertificate(TestUtilities.TestProperties.AzureClientCertificate);// _appCertificate;
config.AzureKeyVault = "";
Assert.IsTrue(config.IsClientIdConfigured(), "test configuration invalid");
return(config.ValidateAad());
}, utils.Collector.Config);
Assert.IsTrue(results.ExitBool);
Assert.IsTrue(!results.HasErrors(), results.ToString());
}
protected override SecureString GetRstsTokenInternal()
{
if (_disposed)
{
throw new ObjectDisposedException("CertificateAuthenticator");
}
var request = new RestRequest("oauth2/token", RestSharp.Method.POST)
.AddHeader("Accept", "application/json")
.AddHeader("Content-type", "application/json")
.AddJsonBody(new
{
grant_type = "client_credentials",
scope = "rsts:sts:primaryproviderid:certificate"
});
var userCert = !string.IsNullOrEmpty(_certificateThumbprint)
? CertificateUtilities.GetClientCertificateFromStore(_certificateThumbprint)
: CertificateUtilities.GetClientCertificateFromFile(_certificatePath, _certificatePassword);
RstsClient.ClientCertificates = new X509Certificate2Collection()
{
userCert
};
var response = RstsClient.Execute(request);
if (response.ResponseStatus != ResponseStatus.Completed)
{
throw new SafeguardDotNetException($"Unable to connect to RSTS service {RstsClient.BaseUrl}, Error: " +
response.ErrorMessage);
}
if (!response.IsSuccessful)
{
throw new SafeguardDotNetException("Error using client_credentials grant_type with " +
$"{(string.IsNullOrEmpty(_certificatePath) ? $"thumbprint={_certificateThumbprint}" : $"file={_certificatePath}")}" +
$", Error: {response.StatusCode} {response.Content}", response.Content);
}
public void LoadIdpPublicKey(string certificateStr)
{
_idpPublicKey = CertificateUtilities.LoadCertificate(certificateStr);
}
private void terminateToolStripMenuItem1_Click(object sender, EventArgs e)
{
if (lstItems.SelectedItems.Count <= 0)
{
return;
}
EnrolledYubikey item = lstItems.SelectedItems[0].Tag as EnrolledYubikey;
if (item == null)
{
return;
}
X509Certificate2 currentCert = new X509Certificate2(item.Certificate.RawCertificate);
DialogResult dlgResult = MessageBox.Show("This will terminate the Yubikey, wiping the PIN, PUK, Management Key and Certificates. " +
"This will also revoke the certificate. Proceeed?" + Environment.NewLine + Environment.NewLine +
"Will revoke: " + currentCert.Subject + Environment.NewLine +
"By: " + currentCert.Issuer, "Terminate (WILL revoke)",
MessageBoxButtons.YesNo, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button2);
if (dlgResult != DialogResult.Yes)
{
return;
}
DlgPleaseInsertYubikey yubiWaiter = new DlgPleaseInsertYubikey(item);
DialogResult result = yubiWaiter.ShowDialog();
if (result != DialogResult.OK)
{
return;
}
DlgProgress prg = new DlgProgress("Terminating certificate");
prg.WorkerAction = worker =>
{
worker.ReportProgress(20, "Revoking certificate ...");
// Begin
try
{
CertificateUtilities.RevokeCertificate(item.CA, item.Certificate.Serial);
// Revoked
_dataStore.Remove(item);
}
catch (Exception ex)
{
MessageBox.Show(
"Unable to revoke certificate " + item.Certificate.Serial + " of " + item.CA +
" enrolled on " + item.EnrolledAt + ". There was an error." + Environment.NewLine +
Environment.NewLine + ex.Message, "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning);
return;
}
// Wipe the Yubikey
worker.ReportProgress(50, "Wiping Yubikey ...");
string devName = YubikeyPivManager.Instance.ListDevices().FirstOrDefault();
bool hasDevice = !string.IsNullOrEmpty(devName);
if (hasDevice)
{
using (YubikeyPivDevice dev = YubikeyPivManager.Instance.OpenDevice(devName))
{
int serial = (int)dev.GetSerialNumber();
if (item.DeviceSerial != serial)
{
// Something went seriously wrong - perhaps the user switched keys?
MessageBox.Show("Unable to reset the yubikey. The inserted key did not match the key you wanted to wipe.", "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning);
return;
}
}
using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName))
{
piv.BlockPin();
worker.ReportProgress(70);
piv.BlockPuk();
worker.ReportProgress(90);
bool reset = piv.ResetDevice();
if (!reset)
{
MessageBox.Show("Unable to reset the yubikey. Try resetting it manually.", "An error occurred.", MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
worker.ReportProgress(100);
}
}
// Write to disk
_dataStore.Save(FileStore);
};
prg.ShowDialog();
RefreshUserStore();
RefreshInsertedKey();
}
private void EnrollWorkerOnDoWork(object sender, DoWorkEventArgs doWorkEventArgs)
{
string devName = YubikeyNeoManager.Instance.ListDevices().FirstOrDefault();
bool hasDevice = !string.IsNullOrEmpty(devName);
if (!hasDevice)
{
throw new InvalidOperationException("No yubikey");
}
// 0. Get lock on yubikey
using (YubikeyNeoDevice dev = YubikeyNeoManager.Instance.OpenDevice(devName))
{
// 1. Prep device info
int deviceId = dev.GetSerialNumber();
string neoFirmware = dev.GetVersion().ToString();
Version pivFirmware;
using (YubikeyPivDevice piv = YubikeyPivManager.Instance.OpenDevice(devName))
pivFirmware = piv.GetVersion();
_enrollWorker.ReportProgress(1);
// 2 - Generate PUK, prep PIN
byte[] randomKey = Utilities.GenerateRandomKey();
string puk = Utilities.MapBytesToString(randomKey.Take(8).ToArray());
string pin = txtPin.Text;
_enrollWorker.ReportProgress(2);
// 3 - Prep CA
WindowsCertificate enrollmentAgent = WindowsCertStoreUtilities.FindCertificate(_settings.EnrollmentAgentCertificate);
string ca = _settings.CSREndpoint;
string caTemplate = _settings.EnrollmentCaTemplate;
string user = txtUser.Text;
if (enrollmentAgent == null)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to find the certificate with thumbprint: " + _settings.EnrollmentAgentCertificate;
return;
}
_enrollWorker.ReportProgress(3);
// 4 - Prep Management Key
// TODO: Consider a new key every time?
byte[] mgmKey = _settings.EnrollmentManagementKey;
_enrollWorker.ReportProgress(4);
RSAParameters publicKey;
X509Certificate2 cert;
byte[] chuid;
using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName))
{
// 5 - Yubico: Reset device
pivTool.BlockPin();
pivTool.BlockPuk();
bool reset = pivTool.ResetDevice();
if (!reset)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to reset the YubiKey";
return;
}
_enrollWorker.ReportProgress(5);
// 6 - Yubico: Management Key
bool authenticated = pivTool.Authenticate(YubikeyPivDevice.DefaultManagementKey);
if (!authenticated)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to authenticate with the YubiKey";
return;
}
bool setMgmKey = pivTool.SetManagementKey(mgmKey);
if (!setMgmKey)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the management key";
return;
}
_enrollWorker.ReportProgress(6);
// 7 - Yubico: Set CHUID
bool setChuid = pivTool.SetCHUID(Guid.NewGuid(), out chuid);
if (!setChuid)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set CHUID";
return;
}
_enrollWorker.ReportProgress(7);
// 8 - Yubico: PIN
int tmp;
bool setPin = pivTool.ChangePin(YubikeyPivDevice.DefaultPin, pin, out tmp);
if (!setPin)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the PIN code";
return;
}
_enrollWorker.ReportProgress(8);
// 9 - Yubico: PUK
bool setPuk = pivTool.ChangePuk(YubikeyPivDevice.DefaultPuk, puk, out tmp);
if (!setPuk)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to set the PUK code";
return;
}
_enrollWorker.ReportProgress(9);
// 10 - Yubico: Generate Key
YubikeyAlgorithm algorithm = (YubikeyAlgorithm)drpAlgorithm.SelectedItem;
bool keyGenerated = pivTool.GenerateKey9a(algorithm.Value, out publicKey);
if (!keyGenerated)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to generate a keypair";
return;
}
_enrollWorker.ReportProgress(10);
}
// 11 - Yubico: Make CSR
string csr;
string csrError;
bool madeCsr = MakeCsr(Utilities.ExportPublicKeyToPEMFormat(publicKey), pin, out csrError, out csr);
if (!madeCsr)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to generate a CSR" + Environment.NewLine + csrError;
return;
}
_enrollWorker.ReportProgress(11);
// 12 - Enroll
string enrollError;
bool enrolled = CertificateUtilities.Enroll(user, enrollmentAgent, ca, caTemplate, csr, out enrollError, out cert);
if (!enrolled)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to enroll a certificate." + Environment.NewLine + enrollError;
return;
}
_enrollWorker.ReportProgress(12);
using (YubikeyPivDevice pivTool = YubikeyPivManager.Instance.OpenDevice(devName))
{
// 13 - Yubico: Import Cert
bool authenticatedForCert = pivTool.Authenticate(mgmKey);
if (!authenticatedForCert)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = "Unable to authenticate prior to importing a certificate";
return;
}
YubicoPivReturnCode imported = pivTool.SetCertificate9a(cert);
if (imported != YubicoPivReturnCode.YKPIV_OK)
{
doWorkEventArgs.Cancel = true;
_enrollWorkerMessage = $"Unable to import a certificate, return code {imported}";
return;
}
_enrollWorker.ReportProgress(13);
}
// 14 - Create enrolled item
EnrolledYubikey newEnrollment = new EnrolledYubikey();
newEnrollment.DeviceSerial = deviceId;
newEnrollment.Certificate.Serial = cert.SerialNumber;
newEnrollment.Certificate.Thumbprint = cert.Thumbprint;
newEnrollment.Certificate.Subject = cert.Subject;
newEnrollment.Certificate.Issuer = cert.Issuer;
newEnrollment.Certificate.StartDate = cert.NotBefore;
newEnrollment.Certificate.ExpireDate = cert.NotAfter;
newEnrollment.Certificate.RawCertificate = cert.RawData;
newEnrollment.CA = ca;
newEnrollment.Username = user;
newEnrollment.ManagementKey = mgmKey;
newEnrollment.PukKey = puk;
newEnrollment.Chuid = BitConverter.ToString(chuid).Replace("-", "");
newEnrollment.EnrolledAt = DateTime.UtcNow;
newEnrollment.YubikeyVersions.NeoFirmware = neoFirmware;
newEnrollment.YubikeyVersions.PivApplet = pivFirmware.ToString();
_dataStore.Add(newEnrollment);
_enrollWorker.ReportProgress(14);
// 15 - Save store
_dataStore.Save(MainForm.FileStore);
_enrollWorker.ReportProgress(15);
// Report
doWorkEventArgs.Cancel = false;
_enrollWorkerMessage = "Success";
}
}
