使用 RsaProtectedConfigurationProvider 对不在配置文件中的字符串执行加密
Using RsaProtectedConfigurationProvider to perform encryption on strings not in a config file
我的组织要求使用我们生产服务器上的特定 System.Configuration.RsaProtectedConfigurationProvider 加密敏感连接字符串。但是,我有一个将连接字符串存储在数据库中的应用程序,我想使用相同的密钥对它们进行加密。
我最初的想法是创建一个包含对加密提供程序的引用的虚拟配置文件,用一些文本加载它并执行加密而不必将其写回磁盘。然后我可以将 cipher/plaintext 从 xml:
中拉出来
DummyConfig.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="DummySection" type="virutalConfig.DummySect, virutalConfig, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</configSections>
<DummySection />
<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
 processorArchitecture=MSIL"
keyContainerName="MyKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
Program.cs:
class Program
{
static void Main(string[] args)
{
var fileMap = new ExeConfigurationFileMap
{
ExeConfigFilename = @"c:\virtconfigtest\DummyConfig.config"
};
var config = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
var sect = config.GetSection("DummySection") as DummySect;
sect.Inf = "this is some plaintext!";
sect.SectionInformation.ProtectSection("MyProvider");
//sect.SectionInformation.ForceSave = true;
//config.Save();
if (sect.SectionInformation.IsProtected)
{
Console.WriteLine("Section is protected. Raw XML:");
Console.WriteLine(sect.SectionInformation.GetRawXml());
}
else
{
Console.WriteLine("Section is not protected. Raw XML:");
Console.WriteLine(sect.SectionInformation.GetRawXml());
}
Console.ReadLine();
}
}
public class DummySect : ConfigurationSection
{
public DummySect() { }
[ConfigurationProperty("inf")]
public string Inf
{
get { return (string)this["inf"]; }
set { this["inf"] = value; }
}
}
不幸的是,GetRawXml() 仅 returns 明文,即使要获取此信息,似乎也必须将配置文件写回磁盘。
我可以通过从磁盘读取文件作为 xml 文档来获得我想要的内容,但我宁愿不必这样做。整个计划无论如何都非常糟糕,即使没有添加磁盘写入。我是否必须从提供商处检索 RSA 密钥才能执行此操作?如果可以,怎么做?
经过一些研究和反复试验,我最终弄清楚了如何做到这一点。
配置文件的加密部分如下所示:
<DummySection configProtectionProvider="MyProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>RsMpDD/wJmmpN+Mme+qFuRVm2Ddk759hWM7HaeAnW7xpfkCoC4ko7vDBmqylzQ0QAFL2wuR8u8Bsf+4xwn++Ru/GsEaYrGrcDMYJTuWElyHuxnw+5umqexQJye2R5uL/91alFVNV41HnSPlwuA+pgk14yHSWIflIyKFmUTx58vU=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>lQI7gyQZ2HIIQUdKsp73HrYcebbOiO4dCriwCt5avfVTcxPZEHzaCfV52k+triRwq64uGVCNRpGUe5PCVEfbWwrPHaNaFzRp</CipherValue>
</CipherData>
</EncryptedData>
</DummySection>
密文的第一块是用 RSA 加密的三重 DES 密钥。可以从目录中的文件中获取密钥对:C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
第二部分使用此 DES 密钥加密,并以 64 位初始化向量作为前缀。无奈用方法填充:ISO10126
这里是解密代码:
var cspParameters = new CspParameters()
{
KeyContainerName = "MyKeys",
Flags = CspProviderFlags.UseMachineKeyStore
}; //refers to a file in the machine keys directory
var rsaKey = new RSACryptoServiceProvider(cspParameters);
var t1 =
Convert.FromBase64String(
"RsMpDD/wJmmpN+Mme+qFuRVm2Ddk759hWM7HaeAnW7xpfkCoC4ko7vDBmqylzQ0QAFL2wuR8u8Bsf+4xwn++Ru/GsEaYrGrcDMYJTuWElyHuxnw+5umqexQJye2R5uL/91alFVNV41HnSPlwuA+pgk14yHSWIflIyKFmUTx58vU=");
var t2 =
Convert.FromBase64String(
"lQI7gyQZ2HIIQUdKsp73HrYcebbOiO4dCriwCt5avfVTcxPZEHzaCfV52k+triRwq64uGVCNRpGUe5PCVEfbWwrPHaNaFzRp");
var desKey = rsaKey.Decrypt(t1, false); //get the des key
var iv = t2.Take(8).ToArray(); //get the initialization vector
var ct = t2.Skip(8).ToArray(); //get the actual ciphertext
var desEnc = new TripleDESCryptoServiceProvider()
{
Padding = PaddingMode.ISO10126
};
var plaintext = Encoding.Default.GetString(desEnc.CreateDecryptor(desKey, iv).TransformFinalBlock(ct, 0, ct.Length));
我的组织要求使用我们生产服务器上的特定 System.Configuration.RsaProtectedConfigurationProvider 加密敏感连接字符串。但是,我有一个将连接字符串存储在数据库中的应用程序,我想使用相同的密钥对它们进行加密。
我最初的想法是创建一个包含对加密提供程序的引用的虚拟配置文件,用一些文本加载它并执行加密而不必将其写回磁盘。然后我可以将 cipher/plaintext 从 xml:
中拉出来DummyConfig.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="DummySection" type="virutalConfig.DummySect, virutalConfig, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</configSections>
<DummySection />
<configProtectedData>
<providers>
<add name="MyProvider"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
 processorArchitecture=MSIL"
keyContainerName="MyKeys"
useMachineContainer="true" />
</providers>
</configProtectedData>
</configuration>
Program.cs:
class Program
{
static void Main(string[] args)
{
var fileMap = new ExeConfigurationFileMap
{
ExeConfigFilename = @"c:\virtconfigtest\DummyConfig.config"
};
var config = ConfigurationManager.OpenMappedExeConfiguration(fileMap, ConfigurationUserLevel.None);
var sect = config.GetSection("DummySection") as DummySect;
sect.Inf = "this is some plaintext!";
sect.SectionInformation.ProtectSection("MyProvider");
//sect.SectionInformation.ForceSave = true;
//config.Save();
if (sect.SectionInformation.IsProtected)
{
Console.WriteLine("Section is protected. Raw XML:");
Console.WriteLine(sect.SectionInformation.GetRawXml());
}
else
{
Console.WriteLine("Section is not protected. Raw XML:");
Console.WriteLine(sect.SectionInformation.GetRawXml());
}
Console.ReadLine();
}
}
public class DummySect : ConfigurationSection
{
public DummySect() { }
[ConfigurationProperty("inf")]
public string Inf
{
get { return (string)this["inf"]; }
set { this["inf"] = value; }
}
}
不幸的是,GetRawXml() 仅 returns 明文,即使要获取此信息,似乎也必须将配置文件写回磁盘。
我可以通过从磁盘读取文件作为 xml 文档来获得我想要的内容,但我宁愿不必这样做。整个计划无论如何都非常糟糕,即使没有添加磁盘写入。我是否必须从提供商处检索 RSA 密钥才能执行此操作?如果可以,怎么做?
经过一些研究和反复试验,我最终弄清楚了如何做到这一点。
配置文件的加密部分如下所示:
<DummySection configProtectionProvider="MyProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>RsMpDD/wJmmpN+Mme+qFuRVm2Ddk759hWM7HaeAnW7xpfkCoC4ko7vDBmqylzQ0QAFL2wuR8u8Bsf+4xwn++Ru/GsEaYrGrcDMYJTuWElyHuxnw+5umqexQJye2R5uL/91alFVNV41HnSPlwuA+pgk14yHSWIflIyKFmUTx58vU=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>lQI7gyQZ2HIIQUdKsp73HrYcebbOiO4dCriwCt5avfVTcxPZEHzaCfV52k+triRwq64uGVCNRpGUe5PCVEfbWwrPHaNaFzRp</CipherValue>
</CipherData>
</EncryptedData>
</DummySection>
密文的第一块是用 RSA 加密的三重 DES 密钥。可以从目录中的文件中获取密钥对:C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
第二部分使用此 DES 密钥加密,并以 64 位初始化向量作为前缀。无奈用方法填充:ISO10126
这里是解密代码:
var cspParameters = new CspParameters()
{
KeyContainerName = "MyKeys",
Flags = CspProviderFlags.UseMachineKeyStore
}; //refers to a file in the machine keys directory
var rsaKey = new RSACryptoServiceProvider(cspParameters);
var t1 =
Convert.FromBase64String(
"RsMpDD/wJmmpN+Mme+qFuRVm2Ddk759hWM7HaeAnW7xpfkCoC4ko7vDBmqylzQ0QAFL2wuR8u8Bsf+4xwn++Ru/GsEaYrGrcDMYJTuWElyHuxnw+5umqexQJye2R5uL/91alFVNV41HnSPlwuA+pgk14yHSWIflIyKFmUTx58vU=");
var t2 =
Convert.FromBase64String(
"lQI7gyQZ2HIIQUdKsp73HrYcebbOiO4dCriwCt5avfVTcxPZEHzaCfV52k+triRwq64uGVCNRpGUe5PCVEfbWwrPHaNaFzRp");
var desKey = rsaKey.Decrypt(t1, false); //get the des key
var iv = t2.Take(8).ToArray(); //get the initialization vector
var ct = t2.Skip(8).ToArray(); //get the actual ciphertext
var desEnc = new TripleDESCryptoServiceProvider()
{
Padding = PaddingMode.ISO10126
};
var plaintext = Encoding.Default.GetString(desEnc.CreateDecryptor(desKey, iv).TransformFinalBlock(ct, 0, ct.Length));