如何在 Identity Server 4 中配置“密钥材料”以使用 SQL、KeyVault 或任何其他系统？

Question

ID4 的源代码要求我们“配置密钥材料”以用于生产。

我使用以下 Powershell 脚本创建了适用于 Identity Server 4 的密钥。

// (not necessary for this question, but others may find this useful)

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)][string]$password = "",
    [Parameter(Mandatory=$true)][string]$rootDomain = ""
)

#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"

# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
    Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
    Exit
}

function Get-NewCert ([string]$name)
{
    New-SelfSignedCertificate `
        -Subject $rootDomain `
        -DnsName $rootDomain `
        -FriendlyName $name `
        -NotBefore (Get-Date) `
        -NotAfter (Get-Date).AddYears(10) `
        -CertStoreLocation "cert:CurrentUser\My" `
        -KeyAlgorithm RSA `
        -KeyLength 4096 `
        -HashAlgorithm SHA256 `
        -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
        -Type Custom,DocumentEncryptionCert `
        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText

# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint

# token validation certificate
$cert =  Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint

是否有任何实现或示例实现，有一个占位符来清楚地告诉我在哪里实现密钥提取功能，以及如何将其正确添加到 Startup.cs 的说明？

我仍在尝试了解 ASP.NET Core 启动/配置/Kestra 配置过程，这就是我陷入困境的地方。

• 如何管理密钥材料？
• 我要覆盖什么对象，以及如何配置 ID4 以使用它？

Answer 1

您可以使用IIdentityServerBuilderapi配置签名密钥：

builder.AddSigningCredential(myKeyMaterial);

您有以下可用的重载：

builder.AddSigningCredential(myKeyMaterial);

这是我的一个项目的示例，使用来自本地机器证书存储的主题名称的 X509 证书：

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)

使用这样的扩展方法，您可以按照以下方式使用它（我喜欢使用托管环境来确定是否添加开发人员默认签名凭据或生产凭据）：

    private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
        IConfiguration options)
    {
        var subjectName = options.GetValue<string>("SubjectName");

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);

        if (certificates.Count > 0)
        {
            builder.AddSigningCredential(certificates[0]);
        }
        else
            Log.Error("A matching key couldn't be found in the store");
    }