gpt4 book ai didi

azure - .NET Core 2.2、Azure Web API 新 X509Certificate2 "The system cannot find the file specified"和 "access denied"

转载 作者:行者123 更新时间:2023-12-03 15:44:45 24 4
gpt4 key购买 nike

我的 Azure Web API 加载作为 key 存储在 Key Vault 中的证书,然后尝试从字节数组创建新证书。在本地运行一切正常,但是,当部署到 Azure 时,我们会遇到拒绝访问系统找不到指定的文件,具体取决于传递给的 KeyStorageFlags构造函数。 Web API 使用 .Net Core 2.2

我已经研究这个问题有一段时间了,阅读了大量与此相关的信息,但没有阅读这个特定场景。

使用 MachineKeySet 标志:证书 = new X509Certificate2(pfxBytes, "",
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.Exportable);

异常

ex=Access denied, stack= at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

使用 UserKeySet 标志: 证书 = new X509Certificate2(pfxBytes, "",
X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.UserKeySet |
X509KeyStorageFlags.Exportable);

异常

ex=The system cannot find the file specified, stack= at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

我使用本文将加载证书作为 secret 进行跟踪[https://www.rahulpnath.com/blog/pfx-certificate-in-azure-key-vault/][1] 这似乎与 Key Vault 没有任何关系,因为它在本地从 Key Vault 加载 secret ,并且在 Azure 中加载并不是引发异常的地方。但这可能与证书的存储方式有关?

这是我们正在使用的完整代码

private async Task<X509Certificate2> GetSecretCertificateFromKVAPI()
{
try
{
var keyVaultName = _configuration["Secrets:KeyVaultName"];

var keyVaultEndpoint = $"https://{keyVaultName}.vault.azure.net:443/secrets/";
var provider = new AzureServiceTokenProvider();
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
SecretBundle secretRetrieved;

secretRetrieved = await client.GetSecretAsync($"{keyVaultEndpoint}OdysseyCA");

var pfxBytes = Convert.FromBase64String(secretRetrieved?.Value);

//note, must pass an empty password when loading from keyvault in Azure
X509Certificate2 certificate;
try
{
// or recreate the certificate directly
certificate = new X509Certificate2(pfxBytes, "",
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.Exportable);

// alternative, try using import
//var coll = new X509Certificate2Collection();
//coll.Import(pfxBytes, null, X509KeyStorageFlags.Exportable);
//certificate = coll[0];
}
catch (Exception ex)
{
_logger.Trace($"create new X509 failed, ex={ex.Message}, stack={ex.StackTrace}");
throw;
}

return certificate;
}
catch (Exception ex)
{
_logger.Trace($"GetSecretCertificateFromKVAPI threw an exception, ex={ex.Message}, stack = {ex.StackTrace}");
throw;
}
}

在代码中,您可以看到我们尝试使用 X509Certificate2Collection 类的 .import 方法来解决此问题,但结果是相同的。我们正在积极备份到 .Net Core 2.1 和 2.0,看看这是否是一个新错误并寻找其他答案。

我们如何让它发挥作用?

编辑:根据下面评论中的建议尝试了 EphemeralKeySet 标志,但异常堆栈与其他堆栈几乎相同:

证书 = new X509Certificate2(pfxBytes, "",
X509KeyStorageFlags.EphemeralKeySet | X509KeyStorageFlags.EphemeralKeySet |
X509KeyStorageFlags.Exportable);

ex=The system cannot find the file specified, stack = at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

任何人都可以确认这适用于 .Net 任何版本吗?可能是核心或 2.2 错误吗?

最佳答案

在 Azure 托管的 API 中,添加应用程序设置:WEBSITE_LOAD_USER_PROFILE=1 解决了问题。我们仍然使用 EphemeralKeySet,但我怀疑 UserKeySet 标志也可以工作。

关于azure - .NET Core 2.2、Azure Web API 新 X509Certificate2 "The system cannot find the file specified"和 "access denied",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55051277/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com