群集环境中的ASP.Net Core数据保护API [英] ASP.Net Core Data Protection API in a Clustered Environment

问题描述

我难以理解Data Protection API。

我想在集群环境（服务结构）中建立一些网络核心Web应用程序。以前，您要做的只是确保每台计算机在其web.config中具有相同的密钥。简单。借助新的数据保护API，似乎需要更多（ lottle ！）。

来自文档在这里似乎应该很简单，即使用适当的证书来设置数据保护服务。

但是我尝试这样做：

  public static void Main（string [] args）
 {
 //添加数据保护服务
 var serviceCollection =新的ServiceCollection（）; 
 string thumbPrint = XXXXXXXXXXXX; 
 serviceCollection.AddDataProtection（）
.ProtectKeysWithDpapiNG（$ CERTIFICATE = HashId：{thumbPrint}，标志：Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None）; 
 var services = serviceCollection.BuildServiceProvider（）; 
 
 //使用服务提供者
创建MyClass实例var instance = ActivatorUtilities.CreateInstance< MyClass>（services）; 
 instance.RunSample（）; 
} 
 
公共类MyClass 
 {
 IDataProtector _protector; 
 
 //提供者参数由DI提供
 public MyClass（IDataProtectionProvider provider）
 {
 _protector = provider.CreateProtector（ Contoso.MyClass.v1 ）; 
} 
 
 public void RunSample（）
 {
 Console.Write（ Enter input：）; 
字符串输入= Console.ReadLine（）; 
 
 //保护有效负载
字符串protectedPayload = _protector.Protect（input）; 
 Console.WriteLine（$保护返回：{protectedPayload}）; 
 
 //取消保护有效载荷
字符串unprotectedPayload = _protector.Unprotect（protectedPayload）; 
 Console.WriteLine（$取消保护返回：{unprotectedPayload}）; 
 
 Console.ReadLine（）; 
} 
} 
  

我只是得到一个例外

  System.InvalidOperationException发生
 HResult = 0x80131509 
消息=类型'Microsoft.AspNetCore.DataProtection.Repositories没有服务。 IXmlRepository'已注册。 
  

经过一番挖掘后发现，这是因为没有为键指定持久存储。 / p>

这里有什么建议？我是否应该将密钥保留在某个中央位置（即，可用于我所有应用程序的共享）。如果是这样，原因是什么？

解决方案

您必须提供 IXmlRepository的实现为数据保护API提供了一个存储密钥的地方。 ProtectKeysWith *（）指令可保护静态密钥（从基本意义上讲，在保存密钥之前先对其进行加密！）。其他信息此处。

我最终坚持使用我的AzureStorage密钥。更多信息此处。

  serviceCollection.AddDataProtection（）
 .ProtectKeysWithDpapiNG（$ CERTIFICATE = HashId： {thumbPrint}，标志：Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None）
 .PersistKeysToAzureBlobStorage（/ * params * /）; 
  

还值得注意的是，用于保护密钥的证书必须将其存储在证书存储区中，并且运行该应用程序的帐户必须具有读取权限。请参见此处。

I'm having difficulty understanding the Data Protection API.

I'm wanting to set up some net core web applications in a clustered environment (service fabric). Previously what you'd do is just ensure that each machine has the same key in its web.config. Simple. With the new data protection API it seems a little (lottle!) bit more involved.

From the documentation here it appears that it should be as simple as setting up the Data Protection service with the appropriate certificate.

However I tried this:

    public static void Main(string[] args)
    {
        // add data protection services
        var serviceCollection = new ServiceCollection();
        string thumbPrint = "XXXXXXXXXXXX";
        serviceCollection.AddDataProtection()
            .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None);
        var services = serviceCollection.BuildServiceProvider();

        // create an instance of MyClass using the service provider
        var instance = ActivatorUtilities.CreateInstance<MyClass>(services);
        instance.RunSample();
    }

    public class MyClass
    {
        IDataProtector _protector;

        // the 'provider' parameter is provided by DI
        public MyClass(IDataProtectionProvider provider)
        {
            _protector = provider.CreateProtector("Contoso.MyClass.v1");
        }

        public void RunSample()
        {
            Console.Write("Enter input: ");
            string input = Console.ReadLine();

            // protect the payload
            string protectedPayload = _protector.Protect(input);
            Console.WriteLine($"Protect returned: {protectedPayload}");

            // unprotect the payload
            string unprotectedPayload = _protector.Unprotect(protectedPayload);
            Console.WriteLine($"Unprotect returned: {unprotectedPayload}");

            Console.ReadLine();
        }
    }

And I just get an exception of

System.InvalidOperationException occurred
  HResult=0x80131509
  Message=No service for type 'Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository' has been registered.

Which after some digging around turns out that it's because there is no persisted store specified for the keys.

What is advised here? Should I be persisting my keys to some central location (i.e. a share that is available to all my applications). If so, what is the reason why?

解决方案

You have to supply an implementation of IXmlRepository which provides the data protection API with a place to store the keys. The ProtectKeysWith*() directives protect the keys at rest (in basic terms, encrypts the keys before saving them!). Additional info here.

I ended up persisting my keys to AzureStorage. More info here.

serviceCollection.AddDataProtection()
    .ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None)
    .PersistKeysToAzureBlobStorage(/* params */);

It is also worth noting that the certificate used to protect the keys must be stored in a certificate store and the account which the application is running under must have read access. See here.

这篇关于群集环境中的ASP.Net Core数据保护API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！