[英]ProtectedConfigurationProvider using Rsa and x509 certificate
我对此并不陌生,所以请多多包涵。 我正在尝试使用RsaProtectedConfigurationProvider加密/解密.config节
如果我错了,请纠正我,但从我一直在阅读的内容中,我需要执行以下操作:
获取证书和该证书的公共密钥
X509Certificate2 cert = new X509Certificate2(pathToCert, "password"); RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
将此信息加载到容器:不确定如何执行此操作,因为以下示例未说明证书
http://msdn.microsoft.com/zh-CN/library/tswxhw92(zh-CN,VS.80).aspx
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = "MySuperAwesomeKeyContainer";
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
<configProtectedData> <providers> <clear/> <add name="MyProvider" type="System.Configuration.RsaProtectedConfigurationProvider" keyContainerName="MySuperAwesomeKeyContainer" useMachineContainer="true" /> </providers> </configProtectedData>
.... string provider = "MyProvider"; // Protect the section. connStrings.SectionInformation.ProtectSection(provider);
这个对吗?。 如果是这样,我该怎么办? 不确定如何从证书中获取那些密钥并将其加载到KeyContainer中。
谢谢
我这样做是这样的:
提供商实施:
public class X509ProtectedConfigProvider : ProtectedConfigurationProvider
{
#region Fields
private X509Certificate2 cert;
#endregion
// Performs provider initialization.
#region Public Methods and Operators
public override XmlNode Decrypt(XmlNode encryptedNode)
{
// Load config section to encrypt into xmlDocument instance
XmlDocument doc = encryptedNode.OwnerDocument;
EncryptedXml eXml = new EncryptedXml(doc);
eXml.DecryptDocument();
return doc.DocumentElement;
}
public override XmlNode Encrypt(XmlNode node)
{
// Load config section to encrypt into xmlDocument instance
XmlDocument doc = new XmlDocument { PreserveWhitespace = true };
doc.LoadXml(node.OuterXml);
// Encrypt it
EncryptedXml eXml = new EncryptedXml();
EncryptedData eData = eXml.Encrypt(doc.DocumentElement, this.cert);
return eData.GetXml();
}
public override void Initialize(string name, NameValueCollection config)
{
base.Initialize(name, config);
string certSubjectDistName = config["CertSubjectDistinguishedName"];
string certStoreName = config["CertStoreName"];
X509Store certStore = !string.IsNullOrEmpty(certStoreName) ? new X509Store(certStoreName, StoreLocation.LocalMachine) : new X509Store(StoreLocation.LocalMachine);
try
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = certStore.Certificates.Find(
X509FindType.FindBySubjectName, certSubjectDistName, true);
this.cert = certs.Count > 0 ? certs[0] : null;
}
finally
{
certStore.Close();
}
}
#endregion
}
助手类:
public static class Crypto
{
// Protect the connectionStrings section.
#region Public Methods and Operators
public static bool ProtectConfiguration(string path)
{
string provider = "X509ProtectedConfigProvider";
// Get the application configuration file.
Configuration config = ConfigurationManager.OpenExeConfiguration(path);
// Get the section to protect.
ConfigurationSection connStrings = config.ConnectionStrings;
if (connStrings != null)
{
if (!connStrings.SectionInformation.IsProtected)
{
if (!connStrings.ElementInformation.IsLocked)
{
// Protect the section.
connStrings.SectionInformation.ProtectSection(provider);
connStrings.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
return true;
}
return false;
}
return true;
}
return false;
}
// Unprotect the connectionStrings section.
public static void UnProtectConfiguration(string path)
{
// Get the application configuration file.
Configuration config = ConfigurationManager.OpenExeConfiguration(path);
// Get the section to unprotect.
ConfigurationSection connStrings = config.ConnectionStrings;
if (connStrings != null)
{
if (connStrings.SectionInformation.IsProtected)
{
if (!connStrings.ElementInformation.IsLocked)
{
// Unprotect the section.
connStrings.SectionInformation.UnprotectSection();
connStrings.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
}
}
}
#endregion
}
}
App.Config(注意configProtectedData):
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/>
</configSections>
<connectionStrings>
<add name="MyDbConnStr" providerName="System.Data.SqlClient" connectionString="Data Source=localhost;Initial Catalog=MyDb;Integrated Security=True;"/>
</connectionStrings>
<appSettings>
<add key="SiteName" value="MyAwesomeSite"/>
</appSettings>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup>
<configProtectedData>
<providers>
<add CertSubjectDistinguishedName="localhost" CertStoreName="MyCertKeyStore" name="X509ProtectedConfigProvider" type="ProtectedConfigProvider.X509ProtectedConfigProvider, X509ProtectedConfigProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=098027505e2ed139" />
</providers>
</configProtectedData>
</configuration>
程序(用法):
...
ProtectConfiguration("mysuperawesomeapp.exe);
DatabaseFactory.SetDatabaseProviderFactory(new DatabaseProviderFactory());
Database db = DatabaseFactory.CreateDatabase("MyDbConnStr");
从db读取可与加密的应用程序配置“ connectionStrings”部分正常工作。 :)
您将在此处找到步骤: 演练:创建和导出RSA密钥容器 。 您不需要证书,可以直接生成密钥容器。
如果您要加密自定义配置部分,则有一个技巧可以使它起作用:您必须删除configSection的声明。 我在这里写了详细信息: 如何在ASP.NET中加密自定义配置部分 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.