为什么加密 Web.config 文件无需提供 keyContainerName 即可工作?
因此,使用 aspnet_regiis.exe util,我完成了以下操作
//Create the container
aspnet_regiis -pc MyRSAKey -exp
//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml
//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml
//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"
现在我认为要使用此密钥,我需要将其添加到 web.config 文件
<configProtectedData defaultProvider="MyProviderName">
<providers>
<add
name="MyProviderName"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyRSAKey"
useMachineContainer="true" />
</providers>
现在,当我运行此命令时,它可以工作:
aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"
问题是,无论值是什么,它都可以工作我有 keyContainerName。或者,即使我将 keyContainerName 完全从配置文件中取出,它仍然可以工作,表明它实际上并未使用我生成和安装的密钥。
此外,Visual Studio 2010 甚至无法识别 keyContainerName(或 useMachineContainer),并表示不允许使用“keyContainerName”名称。
这是怎么回事?
So using the aspnet_regiis.exe util I have done the following
//Create the container
aspnet_regiis -pc MyRSAKey -exp
//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml
//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml
//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"
Now I thought that to use this key I needed to add this to the web.config file
<configProtectedData defaultProvider="MyProviderName">
<providers>
<add
name="MyProviderName"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyRSAKey"
useMachineContainer="true" />
</providers>
Now when I run this command it works:
aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"
The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.
Also visual studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.
What's going on here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不按顺序解决两个问题:
我还没有反编译相关的配置节类来检查,但我观察到
RsaProtectedConfigurationProvider
具有属性KeyContainerName
和UseMachineContainer
,所以它似乎是a) 在解析providers/add
元素时,它使用反射来设置type
实例上的相应字段; b) 编写 VS2010 用于验证.config
文件的 XML 模式的人忘记了
标记。(FWIW,当我发现你的问题时,我希望回答这个问题,该问题在 Google 中排名很高,因为
keycontainername attribute is not allowed
)。当您说“它有效”时,我认为您的意思是
aspnet_regiis -pef
不会给出错误。但是,如果您尝试访问代码中受保护的配置部分,我敢打赌它会抱怨,除非您使用正确的keyContainerName
。我怀疑如果该名称与已知的密钥容器不对应,它会创建一个新的密钥容器,但我没有尝试验证这一点。
To tackle the two questions out of order:
I haven't decompiled the relevant configuration section class to check, but I observe that
RsaProtectedConfigurationProvider
has propertiesKeyContainerName
andUseMachineContainer
, so it seems to be that a) when parsing aproviders/add
element it uses reflection to set corresponding fields on the instance oftype
; and b) whoever wrote the XML schema which VS2010 uses to validate.config
files forgot an<xsd:anyAttribute>
tag.(FWIW this question is what I was hoping to answer when I discovered your question, which ranks highly in Google for
keycontainername attribute is not allowed
).When you say "it works", I think you mean that
aspnet_regiis -pef
doesn't give an error. However, if you try to access the protected configuration section in your code I bet it will complain unless you used the correctkeyContainerName
.I suspect that if the name doesn't correspond to a known key container it creates a new one, but I haven't attempted to verify this.