Ale*_* A. 6 linux data-protection asp.net-core asp.net-core-2.0
我正在尝试配置数据保护并使用证书来保护密钥文件.以下是MS文档配置数据保护
这是我正在尝试做的事情:
services
.AddDataProtection()
.SetApplicationName("test server")
.PersistKeysToFileSystem("/home/www-data/config")
.ProtectKeysWithCertificate(
new X509Certificate2("/home/www-data/config/"keyprotection.pfx);
当我启动应用程序时,我在启动时收到以下错误:
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
Creating key {71e2c23f-448b-49c9-984f-3c8d7227c904} with
creation date 2017-08-29 18:53:51Z, activation date 2017-08-29 18:53:51Z, and expiration date 2017-11-27 18:53:51Z.
info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
Writing data to file '/home/www-data/config/key-71e2c23f-448b-49c9-984f-3c8d7227c904.xml'.
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[24]
An exception occurred while processing the key element '<key id="71e2c23f-448b-49c9-984f-3c8d7227c904" version="1" />'.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
Key {71e2c23f-448b-49c9-984f-3c8d7227c904} is ineligible to be the default key because its CreateEncryptor method failed.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
Key {71e2c23f-448b-49c9-984f-3c8d7227c904} is ineligible to be the default key because its CreateEncryptor method failed.
System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
因此,密钥已创建并加密良好.但似乎它不知道如何解密它,如错误中所述:
System.Security.Cryptography.CryptographicException:
Unable to retrieve the decryption key.
如果我理解正确,它会使用我提供的证书来加密密钥.但由于某些原因它似乎没有使用相同的证书进行解密(看起来它试图从其他地方[store?]中检索它).
出了什么问题?
我还尝试将证书放入CA存储中,如下所述: 创建自签名证书并在Ubuntu Linux上信任它
然后我试图从代码中找回它们,如下所示:
var cert = new CertificateResolver().ResolveCertificate(CertThumbprint);
但它没有用(它找不到它).
我也尝试过使用以下方法找到它们:
var store = new X509Store(StoreName.CertificateAuthority,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var collection = store.Certificates.Find(
X509FindType.FindByThumbprint,
CertThumbprint, false);
store.Close();
var x509Cert = collection.Count > 0 ? collection[0] : null;
但它既不起作用也不起作用.
那么正确的方法是什么?
由于只有 Microsoft 知道的原因ProtectKeysWithCertificate,接受实际证书(PFX 文件或X509Certificate2对象)的覆盖只能加密DPAPI 数据。只有在机器的证书存储中存储相同的证书时,解密才有效,这使得这些覆盖相对毫无意义。
为什么?谁知道。它不是特别有用的信息,但在这里被模糊地视为“底层框架的限制”。
在这个相关的讨论中(在没有任何 Microsoft 帮助或参与的情况下刚刚结束),用户共享自定义持久性类,这些类不受这个神秘“限制”的影响。下面链接的 GitHub 存储库,我知道这是一个老问题,但也许它会帮助其他人。
https://github.com/tillig/DataProtection
更新:这将在即将发布的 Core 2.1.0 版本中修复:https : //github.com/aspnet/Home/issues/2759#issuecomment-367157751
| 归档时间: |
|
| 查看次数: |
1429 次 |
| 最近记录: |