/// <summary>
/// Illustrate recovery using a not-normal-"consumer mode" recovery agent.
/// </summary>
/// <param name="tokenClient">SDK client</param>
/// <param name="alias">Alias of member to recover</param>
/// <returns>the recovered member</returns>
public Tokenio.Member RecoverWithComplexRule(
TokenClient tokenClient,
Alias alias)
{
var memberId = tokenClient.GetMemberId(alias).Result;
var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
var newKey = cryptoEngine.GenerateKey(Privileged);
var verificationId = tokenClient.BeginRecovery(alias).Result;
var authorization = tokenClient.CreateRecoveryAuthorization(memberId, newKey).Result;
var agentSignature = GetRecoveryAgentSignature(authorization);
var mro = new MemberRecoveryOperation
{
AgentSignature = agentSignature,
Authorization = authorization
};
var recoveredMember = tokenClient.CompleteRecovery(
memberId,
new List <MemberRecoveryOperation> {
mro
},
newKey,
cryptoEngine).Result;
recoveredMember.VerifyAlias(verificationId, "1thru6").Wait();
return(recoveredMember);
}
public void keys()
{
IKeyStore keyStore = new InMemoryKeyStore();
ICryptoEngine crypto = new TokenCryptoEngine("member-id", keyStore);
MemberMethodsSample.keys(crypto, member);
}
public void KeysTest()
{
using (Tokenio.Tpp.TokenClient tokenClient = TestUtil.CreateClient()) {
IKeyStore keyStore = new InMemoryKeyStore();
ICryptoEngine cryptoEngine = new TokenCryptoEngine("member-id", keyStore);
TppMember member = tokenClient.CreateMemberBlocking(TestUtil.RandomAlias());
MemberMethodsSample.Keys(cryptoEngine, member);
}
}
/// <summary>
/// Recovers a TPP member and verifies its EIDAS alias using eIDAS certificate.
///
/// </summary>
/// <param name="client">token client</param>
/// <param name="memberId">id of the member to be recovered</param>
/// <param name="tppAuthNumber">authNumber of the TPP</param>
/// <param name="certificate">base64 encoded eIDAS certificate</param>
/// <param name="certificatePrivateKey">private key corresponding to the public key in the certificate</param>
/// <returns>verified business member</returns>
public static Member RecoverEidas(
Tokenio.Tpp.TokenClient client,
string memberId,
string tppAuthNumber,
string certificate,
byte[] certificatePrivateKey)
{
// create a signer using the certificate private key
Algorithm signingAlgorithm = Algorithm.Rs256;
ISigner payloadSigner = new Rs256Signer("eidas", certificatePrivateKey);
// generate a new privileged key to add to the member
ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
Key newKey = cryptoEngine.GenerateKey(Level.Privileged);
// construct a payload with all the required data
EidasRecoveryPayload payload = new EidasRecoveryPayload
{
MemberId = memberId,
Certificate = certificate,
Algorithm = signingAlgorithm,
Key = newKey
};
Tokenio.Tpp.Member recoveredMember = client
.RecoverEidasMember(payload, payloadSigner.Sign(payload), cryptoEngine)
.Result;
// the eidas alias becomes unverified after the recovery, so we need to verify it again
Alias eidasAlias = new Alias
{
Value = tppAuthNumber.Trim(),
RealmId = recoveredMember.RealmId(),
Type = Alias.Types.Type.Eidas
};
VerifyEidasPayload verifyPayload = new VerifyEidasPayload
{
MemberId = memberId,
Alias = eidasAlias,
Certificate = certificate,
Algorithm = signingAlgorithm
};
VerifyEidasResponse response = recoveredMember
.VerifyEidas(verifyPayload, payloadSigner.Sign(verifyPayload))
.Result;
return(recoveredMember);
}
/// <summary>
/// Completes account recovery if the default recovery rule was set.
/// </summary>
/// <param name="memberId">the member id</param>
/// <param name="verificationId">the verification id</param>
/// <param name="code">the code</param>
/// <returns>the new member</returns>
public Task <Member> CompleteRecoveryWithDefaultRule(
string memberId,
string verificationId,
string code)
{
var unauthenticated = ClientFactory.Unauthenticated(channel);
var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
return(unauthenticated
.CompleteRecoveryWithDefaultRule(memberId, verificationId, code, cryptoEngine)
.Map(member =>
{
var client = ClientFactory.Authenticated(channel, member.Id, cryptoEngine);
return new Member(client);
}));
}
public void Recovery_withSecondaryAgent()
{
var alias = Alias();
var member = tokenClient.CreateMemberBlocking(alias);
var memberId = member.MemberId();
var primaryAgentId = member.GetDefaultAgentBlocking();
var secondaryAgent = tokenClient.CreateMemberBlocking(Alias());
var unusedSecondaryAgent = tokenClient.CreateMemberBlocking(Alias());
member.AddRecoveryRuleBlocking(new RecoveryRule
{
PrimaryAgent = primaryAgentId,
SecondaryAgents = { secondaryAgent.MemberId(), unusedSecondaryAgent.MemberId() }
});
var cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
var key = cryptoEngine.GenerateKey(Privileged);
var verificationId = tokenClient.BeginRecoveryBlocking(alias);
var authorization = new Authorization
{
MemberId = memberId,
MemberKey = key,
PrevHash = member.GetLastHashBlocking()
};
var signature = secondaryAgent.AuthorizeRecoveryBlocking(authorization);
var op1 = tokenClient.GetRecoveryAuthorizationBlocking(verificationId, "code", key);
var op2 = new MemberRecoveryOperation
{
Authorization = authorization,
AgentSignature = signature
};
var recovered = tokenClient.CompleteRecoveryBlocking(
memberId,
new[] { op1, op2 },
key,
cryptoEngine);
Assert.Equal(member.MemberId(), recovered.MemberId());
Assert.Equal(3, recovered.GetKeysBlocking().Count);
Assert.Empty(recovered.GetAliasesBlocking());
Assert.False(tokenClient.AliasExistsBlocking(alias));
recovered.VerifyAliasBlocking(verificationId, "code");
Assert.True(tokenClient.AliasExistsBlocking(alias));
CollectionAssert.Equivalent(new[] { alias.ToNormalized() }, recovered.GetAliasesBlocking());
}
/// <summary>
/// Illustrate recovery using a not-normal-"consumer mode" recovery agent.
/// </summary>
/// <param name="tokenClient">SDK client</param>
/// <param name="alias">Alias of member to recover</param>
/// <returns>recovered member</returns>
public TppMember RecoverWithComplexRule(
Tokenio.Tpp.TokenClient tokenClient,
Alias alias)
{
// complexRecovery begin snippet to include in docs
string memberId = tokenClient.GetMemberIdBlocking(alias);
ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
Key newKey = cryptoEngine.GenerateKey(Key.Types.Level.Privileged);
string verificationId = tokenClient.BeginRecoveryBlocking(alias);
MemberRecoveryOperation.Types.Authorization authorization = tokenClient.CreateRecoveryAuthorizationBlocking(
memberId,
newKey);
// ask recovery agent to verify that I really am this member
Signature agentSignature = getRecoveryAgentSignature(authorization);
// We have all the signed authorizations we need.
// (In this example, "all" is just one.)
MemberRecoveryOperation mro = new MemberRecoveryOperation
{
Authorization = authorization,
AgentSignature = agentSignature
};
TppMember recoveredMember = tokenClient.CompleteRecoveryBlocking(
memberId,
(new[] { mro }).ToList(),
newKey,
cryptoEngine);
// after recovery, aliases aren't verified
// In the real world, we'd prompt the user to enter the code emailed to them.
// Since our test member uses an auto-verify email address, any string will work,
// so we use "1thru6".
recoveredMember.VerifyAliasBlocking(verificationId, "1thru6");
// complexRecovery done snippet to include in docs
return(recoveredMember);
}
/// <summary>
/// Recover previously-created member, assuming they were
/// configured with a "normal consumer" recovery rule.
/// </summary>
/// <param name="tokenClient">SDK client</param>
/// <param name="alias">alias of member to recoverWithDefaultRule</param>
/// <returns>recovered member</returns>
public TppMember RecoverWithDefaultRule(Tokenio.Tpp.TokenClient tokenClient, Alias alias)
{
string verificationId = tokenClient.BeginRecoveryBlocking(alias);
// recoverWithDefault begin snippet to include in docs
string memberId = tokenClient.GetMemberIdBlocking(alias);
ICryptoEngine cryptoEngine = new TokenCryptoEngine(memberId, new InMemoryKeyStore());
// In the real world, we'd prompt the user to enter the code emailed to them.
// Since our test member uses an auto-verify email address, any string will work,
// so we use "1thru6".
TppMember recoveredMember = tokenClient.CompleteRecoveryWithDefaultRuleBlocking(
memberId,
verificationId,
"1thru6",
cryptoEngine);
// We can use the same verification code to re-claim this alias.
recoveredMember.VerifyAliasBlocking(verificationId, "1thru6");
// recoverWithDefault done snippet to include in docs
return(recoveredMember);
}
