【发布时间】:2020-09-10 13:31:12
【问题描述】:
我有以下代码用于使用安装在本地计算机上的证书访问 KeyVault 中的机密:
static readonly string certThumbprint = "1234...";
static readonly string clientId = "1234...";
static void Main(string[] args)
{
X509Certificate2 certificate = FindCertificateByThumbprint(certThumbprint);
ClientAssertionCertificate assertionCert = new ClientAssertionCertificate(clientId, certificate);
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
(authority, resource, scope) => GetAccessToken(authority, resource, scope, assertionCert)));
string url = "https://myvault.vault.azure.net/";
var result = keyVaultClient.GetSecretAsync(url, "mySecret").Result;
}
private static X509Certificate2 FindCertificateByThumbprint(string certificateThumbprint)
{
if (certificateThumbprint == null)
{
throw new System.ArgumentNullException("CertificateThumbprint");
}
StoreLocation[] storeLocations = (StoreLocation[])Enum.GetValues(typeof(StoreLocation));
foreach (StoreLocation location in storeLocations)
{
foreach (StoreName storeName in (StoreName[])
Enum.GetValues(typeof(StoreName)))
{
X509Store store = new X509Store(storeName, location);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
if (certCollection != null && certCollection.Count != 0)
{
foreach (X509Certificate2 cert in certCollection)
{
if (cert.HasPrivateKey)
{
store.Close();
return cert;
}
}
}
}
}
throw new Exception($"Could not find the certificate with thumbprint {certificateThumbprint} in any certificate store.");
}
private static async Task<string> GetAccessToken(string authority, string resource, string scope, ClientAssertionCertificate assertionCert)
{
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext context = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority, TokenCache.DefaultShared);
AuthenticationResult result = await context.AcquireTokenAsync(resource, assertionCert).ConfigureAwait(false);
return result.AccessToken;
}
这在我安装了以下软件包的 .Net Framework 4.7.2 控制台应用程序中运行良好:
<ItemGroup>
<PackageReference Include="Microsoft.Azure.KeyVault">
<Version>3.0.5</Version>
</PackageReference>
<PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory">
<Version>5.2.8</Version>
</PackageReference>
<PackageReference Include="System.Security.Cryptography.X509Certificates">
<Version>4.3.2</Version>
</PackageReference>
</ItemGroup>
但是,当我在我的 WebAPI 项目 (.Net Framework 4.7.2) 上运行完全相同的代码时,我收到以下错误:
"ClassName": "System.Security.Cryptography.CryptographicException",
"Message": "Invalid provider type specified.\r\n"
根据 Nuget,我安装的包是相同的版本:
<Reference Include="Microsoft.Azure.KeyVault, Version=3.0.5.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.Azure.KeyVault.3.0.5\lib\net461\Microsoft.Azure.KeyVault.dll</HintPath>
</Reference>
<Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory, Version=5.2.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.5.2.8\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll</HintPath>
</Reference>
<Reference Include="System.Security.Cryptography.X509Certificates, Version=4.1.1.2, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.X509Certificates.4.3.2\lib\net461\System.Security.Cryptography.X509Certificates.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
我猜是其他一些包引起了冲突并解决了所需库之一的一些不正确版本,但我不确定如何诊断和解决。
【问题讨论】:
-
我怀疑私钥使用现代 CNG 密钥存储提供程序而不是传统 CSP。你能确认一下吗?
-
@Crypt32 - 我认为你是对的......我刚刚在 Azure 上生成了一个新证书,安装在本地 + 并且代码在控制台 + WebAPI 项目中都可以正常工作
标签: certificate x509certificate azure-keyvault .net-4.7.2