[英]How can I create an exportable RSA key with RsaProtectedConfigurationProvider with ProtectSection method in C#
In the following example I protect the "DemoWinApp.Properties.Settings" section of the "Sleutels.config" file.在以下示例中,我保护“Sleutels.config”文件的“DemoWinApp.Properties.Settings”部分。
private static void toggleProtectionSleutelsConfig()
{
var fileMap = new ConfigurationFileMap(@"D:\Experimenten\ReadProtectedConfigFile\Sleutels.config");
var configuration = ConfigurationManager.OpenMappedMachineConfiguration(fileMap);
var sectionGroup = configuration.GetSectionGroup("applicationSettings"); // This is the section group name, change to your needs
var section = (ClientSettingsSection)sectionGroup.Sections.Get("DemoWinApp.Properties.Settings"); // This is the section name, change to your needs
var setting = section.Settings.Get("SecretMessage"); // This is the setting name, change to your needs
Console.WriteLine(setting.Value.ValueXml.InnerText);
// Toggle beveiliging
if (!section.SectionInformation.IsProtected)
{
//Protecting the specified section with the specified provider
section.SectionInformation.ProtectSection("RSA");
}
else
{
section.SectionInformation.UnprotectSection();
}
section.SectionInformation.ForceSave = true;
configuration.Save(ConfigurationSaveMode.Modified);
Console.ReadKey();
}
The contents of the "Sleutels.config" file is: “Sleutels.config”文件的内容是:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <configSections> <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, 
 System, Version=2.0.0.0, Culture=neutral, 
 PublicKeyToken=b77a5c561934e089"> <section name="DemoWinApp.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" /> </sectionGroup> </configSections> <applicationSettings> <DemoWinApp.Properties.Settings> <setting name="SecretMessage" serializeAs="String"> <value>This is the secret message.</value> </setting> </DemoWinApp.Properties.Settings> </applicationSettings> <configProtectedData> <providers> <add name="RSA" type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,
 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
 processorArchitecture=MSIL" keyContainerName="RobinsKeys" useMachineContainer="true" /> </providers> </configProtectedData> </configuration>
After running the code the "Sleutels.config" file is encrypted and a RSA key container is created in C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Crypto\\RSA\\MachineKeys
运行代码后,“Sleutels.config”文件被加密,并在
C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Crypto\\RSA\\MachineKeys
创建一个 RSA 密钥容器
If I try to export the RSA key container with the commandline:如果我尝试使用命令行导出 RSA 密钥容器:
c:\windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -pc "RobinsKeys" –exp
Then I get the error message:然后我收到错误消息:
Exporting RSA Keys to file...
Key not valid for use in specified state.
This means that the RSA Key container is not marked as "exportable".这意味着 RSA 密钥容器未标记为“可导出”。 If you would create an key container with the command line, then there is an optional parameter "-exp" to mark the key as exportable.
如果您要使用命令行创建密钥容器,则有一个可选参数“-exp”可将密钥标记为可导出。
For example: aspnet_regiis -pc "RobinsKeys" -exp例如:aspnet_regiis -pc "RobinsKeys" -exp
Is this -exp
option also available while using the section.SectionInformation.ProtectSection("RSA");
使用
section.SectionInformation.ProtectSection("RSA");
此-exp
选项是否也可用section.SectionInformation.ProtectSection("RSA");
method in code or as an configuration option in the RSA provider section in the "Sleutels.config" configuration file?代码中的方法还是作为“Sleutels.config”配置文件中RSA提供程序部分中的配置选项?
Any help is appreciated!任何帮助表示赞赏!
To summarize the discussion, you need to create a RSA crypto container programmatically before you can use it to store RSA keys.总结一下讨论,您需要先以编程方式创建RSA 加密容器,然后才能使用它来存储 RSA 密钥。
The reason is that the RSAProtectedConfigurationProvider
doesn't have an option to make the automatically created RSA key container exportable.原因是
RSAProtectedConfigurationProvider
没有使自动创建的 RSA 密钥容器可导出的选项。
As you wrote in the chat, this workaround can be achieved by the following example code (I've added some output to the console, RSA parameters printed are explained here ):正如您在聊天中所写,此解决方法可以通过以下示例代码实现(我已向控制台添加了一些输出, 此处解释了打印的 RSA 参数):
void Main()
{
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
var cp = new System.Security.Cryptography.CspParameters();
cp.Flags = System.Security.Cryptography.CspProviderFlags.UseMachineKeyStore;
cp.KeyContainerName = "RobinsKeys";
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
// If it is not already there, it will create a new one, which is exportable.
var myRSA = new System.Security.Cryptography.RSACryptoServiceProvider(cp);
// print it on console
Console.WriteLine($"=== Container: {cp.KeyContainerName} ===");
Console.WriteLine(myRSA.ToXmlString(true).Replace("><", ">\n<"));
}
which can be read in more detail here .可以在这里更详细地阅读。 The link provided also shows how to
提供的链接还显示了如何
It might be useful to get a list of containers, this is discussed in a separate question .获取容器列表可能很有用,这将在单独的问题中讨论。
Some more information about key containers you can find in this Microsoft article , also about available aspnet_regiis
parameters.您可以在这篇 Microsoft 文章中找到有关关键容器的更多信息,以及可用的
aspnet_regiis
参数。
Once a RSA container is created, it can be used by IIS.一旦创建了 RSA 容器,IIS 就可以使用它。 It is important to understand the difference between user-level and machine-level key containers, which is described in this documentation .
了解用户级和机器级密钥容器之间的区别很重要,这在本文档中进行了描述。
Kindly let me know if anything is missing from the discussion, and I will update this answer.如果讨论中缺少任何内容,请告诉我,我会更新此答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.