首页 文章

KeyVaultKeyResolver中的Azure rsaKey始终为null

提问于
浏览
1

我通过我的MVC / Durandal Web应用程序将身份文档保存到Azure blob存储 . 我正在关注this示例,使用Azure密钥保管库加密Azure存储中的Blob以存储加密密钥 .

这是我的代码:

public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
    {
        BlobRequestOptions options = await GetBlobRequestOptions();
        await
            _storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
        return fileName;
    }


    private static async Task GetBlobRequestOptions()
    {
        string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
        string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
    *1  KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);

    *2  IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
        BlobRequestOptions options = new BlobRequestOptions
        {
            EncryptionPolicy = policy
        };
        return options;
    }


     public static async Task GetAccessToken(string authority, string resource, string scope)
    {
        string clientId = WebConfigurationManager.AppSettings["ClientId"];
        string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
        ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
        AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
        if (result == null)
        {
            throw new InvalidOperationException(
                "GetAccessToken - Failed to obtain the Active Directory token for application.");
        }
    *3  return result.AccessToken;
    }


    public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
        byte[] byteArray, string contentType, BlobRequestOptions options)
    {
        CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
        CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
        blob.Properties.ContentType = contentType;
        await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
    }

这条线......

IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();

始终返回null .

我在上面的代码中添加了断点(* 1到* 3),并注意到* 2总是在* 3之前被击中 . 这意味着KeyVaultKeyResolver(GetAccessToken)调用不等待GetAccessToken调用返回值 .

关于我做错了什么的任何想法?

c# azure encryption storage azure-keyvault

1 回答

  • 0

    我弄清楚我做错了什么 .

    断点2是我应该使用此代码:

    SymmetricKey sec = (SymmetricKey) cloudResolver
            .ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
                CancellationToken.None)
            .GetAwaiter()
            .GetResult();

    我还必须使用PowerShell将秘密添加到我的Azure密钥保管库 . 通过管理UI创建秘密不起作用 . 以下是我使用的命令:

    enter image description here

    对不起图片,但即使粘贴为代码示例,SO也不接受上述文字 .

    有关原始示例,请参见this site .

    我找到了一种通过Azure门户添加秘密的方法:

    //If entering via Azure UI:
    //Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
    // Base64 encode using https://www.base64encode.org/
    //Take this encoded value and enter it as the secret value in the UI.
    回复于

相关问题