ASP.NET Core 2.1 中的数据保护仅适用于一台机器
Data protection in ASP.NET Core 2.1 only works on one machine
我正在使用 ASP.NET Core Data Protection system 通过应用程序 A 加密数据并使用应用程序 B 解密数据。
在开发机器上 运行 时加密和解密都可以工作,但是当应用程序 B 移动到生产机器时它不再能够解密,因为 IDataProtector.Unprotect 方法抛出异常:
System.InvalidOperationException: The key ring does not contain a
valid default protection key. The data protection system cannot create
a new key because auto-generation of keys is disabled.
这是我用来在应用程序 B 中配置解密的代码:
sKeysPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Keys");
services.AddDataProtection()
.SetApplicationName("My Application") // Application A sets this same name
.PersistKeysToFileSystem(new DirectoryInfo(sKeysPath))
.ProtectKeysWithCertificate("634D3F23...")
//.ProtectKeysWithCertificate(x509Certificate2) // I've tried using an X509 certificate parameter but it gives the same result as providing the thumbprint of the one in the certificate store
.DisableAutomaticKeyGeneration(); // Application A is the master key generator so do not generate keys
生产机器确实包含相同的密钥文件夹(带有 .pfx 和 .xml 文件)和安装在 Windows 证书存储中的相同密钥。
据我了解,通过向数据保护系统提供证书文件,它应该可以在任何机器上运行,而不是绑定到特定机器或 Windows 用户。这个假设是错误的还是我执行解密的方式有问题?
以下是一些更详细的日志消息:
2018-06-13 16:32:32.6750 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector | 5 | Performing unprotect operation to key {846541...} with purposes ('My Application', 'My Purpose').
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository | 37 | Reading data from file 'C:\inetpub\wwwroot\My Website\Keys\key-846541....xml'.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 18 | Found key {846541...}.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 13 | Considering key {846541...} with expiration date 2038-01-18 20:54:13Z as default key.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.TypeForwardingActivator | Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=2.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 24 | An exception occurred while processing the key element '<key id="846541..." version="1" />'. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 25 | An exception occurred while processing the key element '<key id="846541..." version="1" />...
2018-06-13 16:32:32.7051 | WARN | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 12 | Key {846541...} is ineligible to be the default key because its CreateEncryptor method failed. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 14 | Key {846541...} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 53 | Repository contains no viable default key. Caller should generate a key with immediate activation.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 57 | Policy resolution states that a new key should be added to the key ring.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 49 | The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 48 | An error occurred while reading the key ring. System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
感谢 Joe Audette 的建议,我检查了详细的日志记录并发现了一个更具体的错误,它指出 this answer 有解决方案。
问题是 Windows 证书库中证书的权限没有将 IIS_IUSRS 组设置为允许读取访问(右键单击证书 → 所有任务 → 管理私钥... ).这个问题没有出现在开发机器上,因为它出现在 Visual Studio 的用户上下文中 运行。
我有一个类似的问题,但它是在两个不同的 ASP.NET 试图共享同一个 cookie 的核心应用程序之间。 Microsoft.AspNetCore.Authentication.Cookies(2.1.2 与 2.2.0)中的次要版本不匹配导致其中一个应用程序无法找到另一个版本创建的密钥。
在此处添加此答案(即使它没有回答上述问题),因为错误消息完全匹配,希望它可以节省一些人的时间。
我在 2.2 应用程序中也遇到了类似的问题,因为证书是自签名的。目前,我通过实现自己的 CertificateResolver class 和 ProtectKeysWithCertificate 方法来回避它,这些方法不验证证书。然而,对我来说真正的解决方案是使用有效的证书。
只是为遇到此问题的任何人提供一些额外信息。
我正在使用 ASP.NET Core Data Protection system 通过应用程序 A 加密数据并使用应用程序 B 解密数据。
在开发机器上 运行 时加密和解密都可以工作,但是当应用程序 B 移动到生产机器时它不再能够解密,因为 IDataProtector.Unprotect 方法抛出异常:
System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
这是我用来在应用程序 B 中配置解密的代码:
sKeysPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Keys");
services.AddDataProtection()
.SetApplicationName("My Application") // Application A sets this same name
.PersistKeysToFileSystem(new DirectoryInfo(sKeysPath))
.ProtectKeysWithCertificate("634D3F23...")
//.ProtectKeysWithCertificate(x509Certificate2) // I've tried using an X509 certificate parameter but it gives the same result as providing the thumbprint of the one in the certificate store
.DisableAutomaticKeyGeneration(); // Application A is the master key generator so do not generate keys
生产机器确实包含相同的密钥文件夹(带有 .pfx 和 .xml 文件)和安装在 Windows 证书存储中的相同密钥。
据我了解,通过向数据保护系统提供证书文件,它应该可以在任何机器上运行,而不是绑定到特定机器或 Windows 用户。这个假设是错误的还是我执行解密的方式有问题?
以下是一些更详细的日志消息:
2018-06-13 16:32:32.6750 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector | 5 | Performing unprotect operation to key {846541...} with purposes ('My Application', 'My Purpose').
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository | 37 | Reading data from file 'C:\inetpub\wwwroot\My Website\Keys\key-846541....xml'.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 18 | Found key {846541...}.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 13 | Considering key {846541...} with expiration date 2038-01-18 20:54:13Z as default key.
2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.TypeForwardingActivator | Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=2.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 24 | An exception occurred while processing the key element '<key id="846541..." version="1" />'. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 25 | An exception occurred while processing the key element '<key id="846541..." version="1" />...
2018-06-13 16:32:32.7051 | WARN | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 12 | Key {846541...} is ineligible to be the default key because its CreateEncryptor method failed. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 14 | Key {846541...} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 53 | Repository contains no viable default key. Caller should generate a key with immediate activation.
2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 57 | Policy resolution states that a new key should be added to the key ring.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 49 | The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.
2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 48 | An error occurred while reading the key ring. System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
感谢 Joe Audette 的建议,我检查了详细的日志记录并发现了一个更具体的错误,它指出 this answer 有解决方案。
问题是 Windows 证书库中证书的权限没有将 IIS_IUSRS 组设置为允许读取访问(右键单击证书 → 所有任务 → 管理私钥... ).这个问题没有出现在开发机器上,因为它出现在 Visual Studio 的用户上下文中 运行。
我有一个类似的问题,但它是在两个不同的 ASP.NET 试图共享同一个 cookie 的核心应用程序之间。 Microsoft.AspNetCore.Authentication.Cookies(2.1.2 与 2.2.0)中的次要版本不匹配导致其中一个应用程序无法找到另一个版本创建的密钥。
在此处添加此答案(即使它没有回答上述问题),因为错误消息完全匹配,希望它可以节省一些人的时间。
我在 2.2 应用程序中也遇到了类似的问题,因为证书是自签名的。目前,我通过实现自己的 CertificateResolver class 和 ProtectKeysWithCertificate 方法来回避它,这些方法不验证证书。然而,对我来说真正的解决方案是使用有效的证书。
只是为遇到此问题的任何人提供一些额外信息。