如何在没有得到CryptographicException的情况下在Azure WebJob上签名JWT令牌? [英] How can I sign a JWT token on an Azure WebJob without getting a CryptographicException?

问题描述

我有一个WebJob，需要创建一个JWT令牌才能与外部服务对话.在本地计算机上运行WebJob时，以下代码有效:

I have a WebJob that needs to create a JWT token to talk with an external service. The following code works when I run the WebJob on my local machine:

public static string SignES256(byte[] p8Certificate, object header, object payload)
{
    var headerString = JsonConvert.SerializeObject(header);
    var payloadString = JsonConvert.SerializeObject(payload);

    CngKey key = CngKey.Import(p8Certificate, CngKeyBlobFormat.Pkcs8PrivateBlob);
    using (ECDsaCng dsa = new ECDsaCng(key))
    {
        dsa.HashAlgorithm = CngAlgorithm.Sha256;
        var unsignedJwtData = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(headerString)) + "." + Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(payloadString));
        var signature = dsa.SignData(Encoding.UTF8.GetBytes(unsignedJwtData));
        return unsignedJwtData + "." + Base64UrlEncoder.Encode(signature);
    }
}

但是，当我将WebJob部署到Azure时，会出现以下异常:

However, when I deploy my WebJob to Azure, I get the following exception:

Microsoft.Azure.WebJobs.Host.FunctionInvocationException:执行函数时发生异常:NotificationFunctions.QueueOperation ---> System.Security.Cryptography.CryptographicException:系统找不到指定的文件.在System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle提供者，Byte [] keyBlob，字符串格式)在System.Security.Cryptography.CngKey.Import(Byte [] keyBlob，CngKeyBlobFormat格式，CngProvider提供者)

Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: NotificationFunctions.QueueOperation ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle provider, Byte[] keyBlob, String format) at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider)

它说找不到指定的文件，但是我传入的参数不是在查看文件位置，而是在内存中.从我收集到的信息来看，可能需要启用某种加密设置才能使用CngKey.Import方法，但是我无法在Azure门户中找到任何与此相关的配置.

It says it can't find a specified file, but the parameters I am passing in are not looking at a file location, they are in memory. From what I have gathered, there may be some kind of cryptography setting I need to enable to be able to use the CngKey.Import method, but I can't find any settings in the Azure portal to configure related to this.

我也尝试过使用JwtSecurityTokenHandler，但是它似乎无法处理我需要使用的ES256哈希算法(即使它在JwtAlgorithms类中被称为ECDSA_SHA256).

I have also tried using JwtSecurityTokenHandler, but it doesn't seem to handle the ES256 hashing algorithm I need to use (even though it is referenced in the JwtAlgorithms class as ECDSA_SHA256).

任何建议将不胜感激！

更新

似乎CngKey.Import实际上可能试图将证书存储在Azure上不可访问的位置.我不需要将其存储，因此，如果有更好的方法可以访问内存中的证书或将其转换为更易于使用的另一种证书，那么它将起作用.

It appears that CngKey.Import may actually be trying to store the certificate somewhere that is not accessible on Azure. I don't need it stored, so if there is a better way to access the certificate in memory or convert it to a different kind of certificate that would be easier to use that would work.

更新2

此问题可能与

This issue might be related to Azure Web Apps IIS setting not loading the user profile as mentioned here. I have enabled this by setting WEBSITE_LOAD_USER_PROFILE = 1 in the Azure portal app settings. I have tried with this update when running the code both via the WebJob and the Web App in Azure but I still receive the same error.

推荐答案

我使用了反编译器来了解CngKey.Import方法的实际作用.看起来它试图将我正在使用的证书插入"Microsoft软件密钥存储提供程序"中.我实际上不需要这个，只需要读取证书的值，但是看起来不可能.

I used a decompiler to take a look under the hood at what the CngKey.Import method was actually doing. It looks like it tries to insert the certificate I am using into the "Microsoft Software Key Storage Provider". I don't actually need this, just need to read the value of the certificate but it doesn't look like that is possible.

一旦我意识到要将证书插入到机器中某处的商店中，我就开始考虑如果您的Azure Web App在共享环境中运行，那么从安全角度来看，这种想法有多么糟糕适用于免费和共享级别.果然，我的VM在共享层上.将其扩展到基本层即可解决此问题.

Once I realized a certificate is getting inserted into a store somewhere one the machine, I started thinking about how bad of a think that would be from a security standpoint if your Azure Web App was running in a shared environment, like it does for the Free and Shared tiers. Sure enough, my VM was on the Shared tier. Scaling it up to the Basic tier resolved this issue.

这篇关于如何在没有得到CryptographicException的情况下在Azure WebJob上签名JWT令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！