1 //----------------------------------------------------------------------
3 // Copyright (c) Microsoft Corporation.
4 // All rights reserved.
6 // This code is licensed under the MIT License.
8 // Permission is hereby granted, free of charge, to any person obtaining a copy
9 // of this software and associated documentation files(the "Software"), to deal
10 // in the Software without restriction, including without limitation the rights
11 // to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
12 // copies of the Software, and to permit persons to whom the Software is
13 // furnished to do so, subject to the following conditions :
15 // The above copyright notice and this permission notice shall be included in
16 // all copies or substantial portions of the Software.
18 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
21 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
26 //------------------------------------------------------------------------------
29 using System.Collections.Generic;
30 using System.Globalization;
33 using System.Runtime.InteropServices.WindowsRuntime;
35 using System.Threading.Tasks;
36 using Windows.Security.Cryptography;
37 using Windows.Security.Cryptography.Certificates;
38 using Windows.Security.Cryptography.Core;
39 using Windows.Storage.Streams;
41 namespace Microsoft.IdentityModel.Clients.ActiveDirectory
43 internal class DeviceAuthHelper : IDeviceAuthHelper
45 public bool CanHandleDeviceAuthChallenge
50 public async Task<string> CreateDeviceAuthChallengeResponse(IDictionary<string, string> challengeData)
52 string authHeaderTemplate = "PKeyAuth {0}, Context=\"{1}\", Version=\"{2}\"";
54 Certificate certificate = await FindCertificate(challengeData).ConfigureAwait(false);
55 DeviceAuthJWTResponse response = new DeviceAuthJWTResponse(challengeData["SubmitUrl"],
56 challengeData["nonce"], Convert.ToBase64String(certificate.GetCertificateBlob().ToArray()));
57 IBuffer input = CryptographicBuffer.ConvertStringToBinary(response.GetResponseToSign(),
58 BinaryStringEncoding.Utf8);
59 CryptographicKey keyPair = await
60 PersistedKeyProvider.OpenKeyPairFromCertificateAsync(certificate, HashAlgorithmNames.Sha256,
61 CryptographicPadding.RsaPkcs1V15).AsTask().ConfigureAwait(false);
63 IBuffer signed = await CryptographicEngine.SignAsync(keyPair, input).AsTask().ConfigureAwait(false);
65 string signedJwt = string.Format(CultureInfo.CurrentCulture, "{0}.{1}", response.GetResponseToSign(),
66 Base64UrlEncoder.Encode(signed.ToArray()));
67 string authToken = string.Format(CultureInfo.CurrentCulture, " AuthToken=\"{0}\"", signedJwt);
68 return string.Format(authHeaderTemplate, authToken, challengeData["Context"], challengeData["Version"]);
71 private async Task<Certificate> FindCertificate(IDictionary<string, string> challengeData)
73 CertificateQuery query = new CertificateQuery();
74 IReadOnlyList<Certificate> certificates = null;
75 string errMessage = null;
77 if (challengeData.ContainsKey("CertAuthorities"))
79 errMessage = "Cert Authorities:" + challengeData["CertAuthorities"];
80 PlatformPlugin.Logger.Verbose(null, "Looking up certificate matching authorities:" + challengeData["CertAuthorities"]);
81 string[] certAuthorities = challengeData["CertAuthorities"].Split(';');
82 foreach (var certAuthority in certAuthorities)
84 //reverse the tokenized string and replace "," with " + "
85 string[] dNames = certAuthority.Split(new[] { "," }, StringSplitOptions.None);
86 string distinguishedIssuerName = dNames[dNames.Length - 1];
87 for (int i = dNames.Length - 2; i >= 0; i--)
89 distinguishedIssuerName += " + " + dNames[i].Trim();
92 query.IssuerName = distinguishedIssuerName;
93 certificates = await CertificateStores.FindAllAsync(query).AsTask().ConfigureAwait(false);
94 if (certificates.Count > 0)
102 errMessage = "Cert Thumbprint:" + challengeData["CertThumbprint"];
103 PlatformPlugin.Logger.Verbose(null, "Looking up certificate matching thumbprint:" + challengeData["CertThumbprint"]);
104 query.Thumbprint = HexStringToByteArray(challengeData["CertThumbprint"]);
105 certificates = await CertificateStores.FindAllAsync(query).AsTask().ConfigureAwait(false);
108 if (certificates == null || certificates.Count == 0)
110 throw new AdalException(AdalError.DeviceCertificateNotFound,
111 string.Format(AdalErrorMessage.DeviceCertificateNotFoundTemplate, errMessage));
114 return certificates[0];
117 private byte[] HexStringToByteArray(string hex)
119 if (hex.Length % 2 == 1)
120 throw new Exception("The binary key cannot have an odd number of digits");
122 byte[] arr = new byte[hex.Length >> 1];
124 for (int i = 0; i < (hex.Length >> 1); ++i)
126 arr[i] = (byte)((GetHexVal(hex[i << 1]) << 4) + (GetHexVal(hex[(i << 1) + 1])));
132 private int GetHexVal(char hex)
135 return val - (val < 58 ? 48 : 55);