为什么加密 Web.config 文件无需提供 keyContainerName 即可工作?

发布于 2024-10-17 00:16:05 字数 1216 浏览 4 评论 0原文

因此,使用 aspnet_regiis.exe util,我完成了以下操作

//Create the container
aspnet_regiis -pc MyRSAKey -exp

//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml

//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml

//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"

现在我认为要使用此密钥,我需要将其添加到 web.config 文件

<configProtectedData defaultProvider="MyProviderName">
<providers>
  <add
    name="MyProviderName" 
    type="System.Configuration.RsaProtectedConfigurationProvider,  System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"           
    keyContainerName="MyRSAKey"
    useMachineContainer="true" />
</providers>

现在,当我运行此命令时,它可以工作:

aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"

问题是,无论值是什么,它都可以工作我有 keyContainerName。或者,即使我将 keyContainerName 完全从配置文件中取出,它仍然可以工作,表明它实际上并未使用我生成和安装的密钥。

此外,Visual Studio 2010 甚至无法识别 keyContainerName(或 useMachineContainer),并表示不允许使用“keyContainerName”名称。

这是怎么回事?

So using the aspnet_regiis.exe util I have done the following

//Create the container
aspnet_regiis -pc MyRSAKey -exp

//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml

//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml

//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"

Now I thought that to use this key I needed to add this to the web.config file

<configProtectedData defaultProvider="MyProviderName">
<providers>
  <add
    name="MyProviderName" 
    type="System.Configuration.RsaProtectedConfigurationProvider,  System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"           
    keyContainerName="MyRSAKey"
    useMachineContainer="true" />
</providers>

Now when I run this command it works:

aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"

The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

Also visual studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

涫野音 2024-10-24 00:16:05

不按顺序解决两个问题:

Visual Studio 2010 甚至无法识别 keyContainerName(或 useMachineContainer),表示不允许使用“keyContainerName”名称。

这是怎么回事?

我还没有反编译相关的配置节类来检查,但我观察到 RsaProtectedConfigurationProvider 具有属性 KeyContainerNameUseMachineContainer,所以它似乎是a) 在解析 providers/add 元素时,它使用反射来设置 type 实例上的相应字段; b) 编写 VS2010 用于验证 .config 文件的 XML 模式的人忘记了 标记。

(FWIW,当我发现你的问题时,我希望回答这个问题,该问题在 Google 中排名很高,因为 keycontainername attribute is not allowed)。


问题是,无论 keyContainerName 的值是什么,它都有效。或者,即使我将 keyContainerName 完全从配置文件中取出,它仍然可以工作,表明它实际上并未使用我生成和安装的密钥。

当您说“它有效”时,我认为您的意思是 aspnet_regiis -pef 不会给出错误。但是,如果您尝试访问代码中受保护的配置部分,我敢打赌它会抱怨,除非您使用正确的keyContainerName

我怀疑如果该名称与已知的密钥容器不对应,它会创建一个新的密钥容器,但我没有尝试验证这一点。

To tackle the two questions out of order:

Visual Studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?

I haven't decompiled the relevant configuration section class to check, but I observe that RsaProtectedConfigurationProvider has properties KeyContainerName and UseMachineContainer, so it seems to be that a) when parsing a providers/add element it uses reflection to set corresponding fields on the instance of type; and b) whoever wrote the XML schema which VS2010 uses to validate .config files forgot an <xsd:anyAttribute> tag.

(FWIW this question is what I was hoping to answer when I discovered your question, which ranks highly in Google for keycontainername attribute is not allowed).


The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

When you say "it works", I think you mean that aspnet_regiis -pef doesn't give an error. However, if you try to access the protected configuration section in your code I bet it will complain unless you used the correct keyContainerName.

I suspect that if the name doesn't correspond to a known key container it creates a new one, but I haven't attempted to verify this.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文