Cod*_*841 11 c# dpapi asp.net-core
我正在使用ASP.NET核心数据保护系统使用应用程序A加密数据并使用应用程序B对其进行解密.
加密和解密在开发机器上运行时都有效,但是当应用程序B移动到生产机器时,它不再能够解密,因为IDataProtector.Unprotect方法会抛出异常:
System.InvalidOperationException:密钥环不包含有效的默认保护密钥.数据保护系统无法创建新密钥,因为禁用了密钥的自动生成.
这是我用于在应用程序B中配置解密的代码:
sKeysPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Keys");
services.AddDataProtection()
.SetApplicationName("My Application") // Application A sets this same name
.PersistKeysToFileSystem(new DirectoryInfo(sKeysPath))
.ProtectKeysWithCertificate("634D3F23...")
//.ProtectKeysWithCertificate(x509Certificate2) // I've tried using an X509 certificate parameter but it gives the same result as providing the thumbprint of the one in the certificate store
.DisableAutomaticKeyGeneration(); // Application A is the master key generator so do not generate keys
生产计算机确实包含相同的Keys文件夹(包含.pfx和.xml文件)以及Windows证书库中安装的相同密钥.
据我了解,通过将证书文件提供给Data Protection系统,它应该可以在任何计算机上运行,而不是绑定到特定计算机或Windows用户.这个假设是不正确的还是我正在执行解密的方式有问题?
以下是一些更详细的日志消息:
2018-06-13 16:32:32.6750 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector | 5 | Performing unprotect operation to key {846541...} with purposes ('My Application', 'My Purpose').
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository | 37 | Reading data from file 'C:\inetpub\wwwroot\My Website\Keys\key-846541....xml'.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 18 | Found key {846541...}.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 13 | Considering key {846541...} with expiration date 2038-01-18 20:54:13Z as default key.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.TypeForwardingActivator | Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=2.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 24 | An exception occurred while processing the key element '<key id="846541..." version="1" />'. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 25 | An exception occurred while processing the key element '<key id="846541..." version="1" />...
2018-06-13 16:32:32.7051 | WARN | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 12 | Key {846541...} is ineligible to be the default key because its CreateEncryptor method failed. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 14 | Key {846541...} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 53 | Repository contains no viable default key. Caller should generate a key with immediate activation.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 57 | Policy resolution states that a new key should be added to the key ring.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 49 | The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 48 | An error occurred while reading the key ring. System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
感谢 Joe Audette 的建议,我查看了详细的日志记录并发现了一个更具体的错误,该错误将我指向了这个有解决方案的答案。
问题是 Windows 证书存储中证书的权限没有将 IIS_IUSRS 组设置为允许读取访问(右键单击证书?所有任务?管理私钥...)。这个问题没有出现在开发机器上,因为它是在 Visual Studio 的用户上下文下运行的。
我有一个类似的问题,但是它是在两个试图共享相同 cookie 的不同 ASP.NET Core 应用程序之间。Microsoft.AspNetCore.Authentication.Cookies(2.1.2 vs 2.2.0) 中的次要版本不匹配导致其中一个应用程序无法找到另一个版本创建的密钥。
在这里添加这个答案(即使它没有回答上述问题),因为错误消息完全匹配,希望它可以为某人节省几个小时。
| 归档时间: |
|
| 查看次数: |
5577 次 |
| 最近记录: |