来自 KeyVaultKeyResolver 的 Azure rsaKey 始终为 null
Azure rsaKey from KeyVaultKeyResolver is always null
我正在通过我的 MVC/Durandal 网络应用程序将身份证件保存到 Azure blob 存储。我按照 this 示例使用 Azure 密钥保管库加密 Azure 存储中的 blob 以存储加密密钥。
这是我的代码:
public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
{
BlobRequestOptions options = await GetBlobRequestOptions();
await
_storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
return fileName;
}
private static async Task GetBlobRequestOptions()
{
string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
*1 KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);
*2 IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
BlobRequestOptions options = new BlobRequestOptions
{
EncryptionPolicy = policy
};
return options;
}
public static async Task GetAccessToken(string authority, string resource, string scope)
{
string clientId = WebConfigurationManager.AppSettings["ClientId"];
string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
if (result == null)
{
throw new InvalidOperationException(
"GetAccessToken - Failed to obtain the Active Directory token for application.");
}
*3 return result.AccessToken;
}
public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
byte[] byteArray, string contentType, BlobRequestOptions options)
{
CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
blob.Properties.ContentType = contentType;
await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
}
这一行...
IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
总是 return 为空。
我在上面的代码中添加了断点(*1 到 *3)并且注意到 *2 总是在 *3 之前被命中。这意味着 KeyVaultKeyResolver(GetAccessToken) 调用不会等待 GetAccessToken 调用 return 的值。
关于我做错了什么有什么想法吗?
我知道我做错了什么了。
断点 2 在哪里我应该使用这段代码:
SymmetricKey sec = (SymmetricKey) cloudResolver
.ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
CancellationToken.None)
.GetAwaiter()
.GetResult();
我还必须使用 PowerShell 将机密添加到我的 Azure Key Vault。通过管理 UI 创建机密无效。以下是我使用的命令:
抱歉图片,但即使粘贴为代码示例,SO 也不会接受上述文本。
有关原始示例,请参阅 this 网站。
我找到了一种通过 Azure 门户添加机密的方法:
//If entering via Azure UI:
//Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
// Base64 encode using https://www.base64encode.org/
//Take this encoded value and enter it as the secret value in the UI.
我正在通过我的 MVC/Durandal 网络应用程序将身份证件保存到 Azure blob 存储。我按照 this 示例使用 Azure 密钥保管库加密 Azure 存储中的 blob 以存储加密密钥。
这是我的代码:
public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
{
BlobRequestOptions options = await GetBlobRequestOptions();
await
_storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
return fileName;
}
private static async Task GetBlobRequestOptions()
{
string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
*1 KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);
*2 IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
BlobRequestOptions options = new BlobRequestOptions
{
EncryptionPolicy = policy
};
return options;
}
public static async Task GetAccessToken(string authority, string resource, string scope)
{
string clientId = WebConfigurationManager.AppSettings["ClientId"];
string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
if (result == null)
{
throw new InvalidOperationException(
"GetAccessToken - Failed to obtain the Active Directory token for application.");
}
*3 return result.AccessToken;
}
public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
byte[] byteArray, string contentType, BlobRequestOptions options)
{
CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
blob.Properties.ContentType = contentType;
await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
}
这一行...
IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
总是 return 为空。
我在上面的代码中添加了断点(*1 到 *3)并且注意到 *2 总是在 *3 之前被命中。这意味着 KeyVaultKeyResolver(GetAccessToken) 调用不会等待 GetAccessToken 调用 return 的值。
关于我做错了什么有什么想法吗?
我知道我做错了什么了。
断点 2 在哪里我应该使用这段代码:
SymmetricKey sec = (SymmetricKey) cloudResolver
.ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
CancellationToken.None)
.GetAwaiter()
.GetResult();
我还必须使用 PowerShell 将机密添加到我的 Azure Key Vault。通过管理 UI 创建机密无效。以下是我使用的命令:
抱歉图片,但即使粘贴为代码示例,SO 也不会接受上述文本。
有关原始示例,请参阅 this 网站。
我找到了一种通过 Azure 门户添加机密的方法:
//If entering via Azure UI:
//Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
// Base64 encode using https://www.base64encode.org/
//Take this encoded value and enter it as the secret value in the UI.