ASP.NET Core2.1中的数据保护只在一台机器上工作

Question

我使用ASP.NET核心数据保护系统对应用程序A加密数据，并用应用程序B解密数据。

在开发机器上运行时，加密和解密都能工作，但是当应用程序B被移动到生产机器时，它就不能解密了，因为IDataProtector.Unprotect方法会抛出异常：

System.InvalidOperationException:密钥环不包含有效的默认保护密钥。由于禁用了密钥的自动生成，数据保护系统无法创建新的密钥.

下面是我在应用程序B中用于配置解密的代码：

sKeysPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Keys");

services.AddDataProtection()
    .SetApplicationName("My Application") // Application A sets this same name
    .PersistKeysToFileSystem(new DirectoryInfo(sKeysPath))
    .ProtectKeysWithCertificate("634D3F23...")
    //.ProtectKeysWithCertificate(x509Certificate2) // I've tried using an X509 certificate parameter but it gives the same result as providing the thumbprint of the one in the certificate store
    .DisableAutomaticKeyGeneration(); // Application A is the master key generator so do not generate keys

生产机器确实包含相同的密钥文件夹(带有.pfx和.xml文件)和安装在Windows证书存储中的相同密钥。

据我所知，通过向数据保护系统提供证书文件，它应该在任何机器上工作，而不是绑定到特定的计算机或Windows用户。这个假设是不正确的还是我执行解密的方式有问题？

下面是一些更详细的日志记录消息：

2018-06-13 16:32:32.6750 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector | 5 | Performing unprotect operation to key {846541...} with purposes ('My Application', 'My Purpose'). 2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository | 37 | Reading data from file 'C:\inetpub\wwwroot\My Website\Keys\key-846541....xml'. 2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 18 | Found key {846541...}. 2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 13 | Considering key {846541...} with expiration date 2038-01-18 20:54:13Z as default key. 2018-06-13 16:32:32.6750 | DEBUG | Microsoft.AspNetCore.DataProtection.TypeForwardingActivator | Forwarded activator type request from Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Version=2.1.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60 2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 24 | An exception occurred while processing the key element '<key id="846541..." version="1" />'. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist 2018-06-13 16:32:32.7051 | TRACE | Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager | 25 | An exception occurred while processing the key element '<key id="846541..." version="1" />... 2018-06-13 16:32:32.7051 | WARN | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 12 | Key {846541...} is ineligible to be the default key because its CreateEncryptor method failed. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist 2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 14 | Key {846541...} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered. 2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver | 53 | Repository contains no viable default key. Caller should generate a key with immediate activation. 2018-06-13 16:32:32.7051 | DEBUG | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 57 | Policy resolution states that a new key should be added to the key ring. 2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 49 | The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled. 2018-06-13 16:32:32.7051 | ERROR | Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider | 48 | An error occurred while reading the key ring. System.InvalidOperationException: The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.

Answer 1

由于Joe的建议，我检查了详细的日志记录，发现了一个更具体的错误，它将我引向了这个答案，它提供了解决方案。

问题是，中证书的权限没有将IIS_IUSRS组设置为允许读取访问(右键单击→→…)。此问题没有出现在开发机器上，因为它在Visual的用户上下文下运行。

Answer 2

我也遇到了一个类似的问题，但这是在两个不同的ASP.NET核心应用程序之间，它们试图共享同一个cookie。Microsoft.AspNetCore.Authentication.Cookies (2.1.2vs2.2.0)中的一个小版本错配导致其中一个应用程序无法找到另一个版本创建的键。

在这里添加这个答案(尽管它没有回答上面的问题)，因为错误消息完全匹配，希望它能节省某人几个小时。

Answer 3

我在2.2应用程序中也遇到了类似的问题，因为证书是自签名的。目前，我通过实现自己的CertificateResolver类和不验证证书的ProtectKeysWithCertificate方法而避免了这一点。然而，对我来说，真正的解决办法是使用有效的证书。

给任何遇到这件事的人提供一些额外的信息。