在 Azure 上存储和使用现有的数据保护密钥

Store and use existing Data Protection keys on azure

我正在尝试将 prem 密钥与 azure 云设置同步,以便两个环境都可以解密授权 header 访问令牌。

目前我有这个设置:

已将此格式的现有 xml 密钥文件添加到 Azure Blob 存储:

<?xml version="1.0" encoding="utf-8"?>
<key id="id..." version="1">
  <creationDate>2018-05-08T17:44:54.9313191Z</creationDate>
  <activationDate>2018-05-08T17:44:54.8979462Z</activationDate>
  <expirationDate>2023-05-07T17:44:54.8979462Z</expirationDate>
  <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
    <descriptor>
      <encryption algorithm="AES_256_CBC" />
      <validation algorithm="HMACSHA256" />
      <masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
        <!-- Warning: the key below is in an unencrypted form. -->
        <value>my-shared-key</value>
      </masterKey>
    </descriptor>
  </descriptor>
</key>

像这样在应用程序启动期间注册密钥:

services.AddDataProtection()
  .SetApplicationName("common-app-name")
  .DisableAutomaticKeyGeneration()
  .PersistKeysToAzureBlobStorage(new Uri("my uri/sas"));

在启动期间看到这些 warnings/errors:

warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'creationDate' found in keyring, skipping.
Loaded 
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'creationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'activationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'activationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'expirationDate' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'expirationDate' found in keyring, skipping.
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Warning: Unknown element with name 'descriptor' found in keyring, skipping.
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[15]
      Unknown element with name 'descriptor' found in keyring, skipping.

Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider:Error: An error occurred while reading the key ring.

System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow)
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[48]
      An error occurred while reading the key ring.

我哪里错了?

提前致谢。

更新:

也试过这种方式注册 azure keys,但还是报同样的错误:

var storageAccount = CloudStorageAccount.Parse("<connectionstring + access key>");
var client = storageAccount.CreateCloudBlobClient();

var container = client.GetContainerReference("dev");
container.CreateIfNotExistsAsync().GetAwaiter().GetResult();

services.AddDataProtection()
       .SetApplicationName("common-name")
       .PersistKeysToAzureBlobStorage(container, "keys.xml")
       .DisableAutomaticKeyGeneration();

最终自己找到了答案,不幸的是,MS Azure Docs 中没有任何地方记录此信息。

简单地说,您需要将关键 xml 元素包装在根 <repository></repository> 元素中。