问题描述
我具有以下代码,用于使用本地计算机上安装的证书访问KeyVault中的机密:
static readonly string certThumbprint = "1234...";
static readonly string clientId = "1234...";
static void Main(string[] args)
{
X509Certificate2 certificate = FindCertificateByThumbprint(certThumbprint);
ClientAssertionCertificate assertionCert = new ClientAssertionCertificate(clientId,certificate);
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
(authority,resource,scope) => GetAccessToken(authority,scope,assertionCert)));
string url = "https://myvault.vault.azure.net/";
var result = keyVaultClient.GetSecretAsync(url,"mySecret").Result;
}
private static X509Certificate2 FindCertificateByThumbprint(string certificateThumbprint)
{
if (certificateThumbprint == null)
{
throw new System.ArgumentNullException("CertificateThumbprint");
}
StoreLocation[] storeLocations = (StoreLocation[])Enum.GetValues(typeof(StoreLocation));
foreach (StoreLocation location in storeLocations)
{
foreach (StoreName storeName in (StoreName[])
Enum.GetValues(typeof(StoreName)))
{
X509Store store = new X509Store(storeName,location);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = store.Certificates.Find(X509FindType.FindByThumbprint,certificateThumbprint,false);
if (certCollection != null && certCollection.Count != 0)
{
foreach (X509Certificate2 cert in certCollection)
{
if (cert.HasPrivateKey)
{
store.Close();
return cert;
}
}
}
}
}
throw new Exception($"Could not find the certificate with thumbprint {certificateThumbprint} in any certificate store.");
}
private static async Task<string> GetAccessToken(string authority,string resource,string scope,ClientAssertionCertificate assertionCert)
{
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext context = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority,TokenCache.DefaultShared);
AuthenticationResult result = await context.AcquireTokenAsync(resource,assertionCert).ConfigureAwait(false);
return result.AccessToken;
}
在安装了以下软件包的.Net Framework 4.7.2控制台应用程序中,此方法工作正常:
<ItemGroup>
<PackageReference Include="Microsoft.Azure.KeyVault">
<Version>3.0.5</Version>
</PackageReference>
<PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory">
<Version>5.2.8</Version>
</PackageReference>
<PackageReference Include="System.Security.Cryptography.X509Certificates">
<Version>4.3.2</Version>
</PackageReference>
</ItemGroup>
但是,当我在WebAPI项目(.Net Framework 4.7.2)上运行完全相同的代码时,出现以下错误:
"ClassName": "System.Security.Cryptography.CryptographicException","Message": "Invalid provider type specified.\r\n"
我安装的软件包与Nuget的版本相同:
<Reference Include="Microsoft.Azure.KeyVault,Version=3.0.5.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.Azure.KeyVault.3.0.5\lib\net461\Microsoft.Azure.KeyVault.dll</HintPath>
</Reference>
<Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory,Version=5.2.8.0,processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.5.2.8\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll</HintPath>
</Reference>
<Reference Include="System.Security.Cryptography.X509Certificates,Version=4.1.1.2,PublicKeyToken=b03f5f7f11d50a3a,processorArchitecture=MSIL">
<HintPath>..\packages\System.Security.Cryptography.X509Certificates.4.3.2\lib\net461\System.Security.Cryptography.X509Certificates.dll</HintPath>
<Private>True</Private>
<Private>True</Private>
</Reference>
我猜想其他软件包正在引起冲突,并解决了所需库之一的某些错误版本,但是我不确定如何诊断和解决。
解决方法
此异常的最可能原因是证书的私钥存储在现代的CNG密钥存储提供程序中,而不是传统的CAPI加密服务提供程序中。在做出此响应时,Azure Key Vault已与CNG发生兼容性问题,因此,您应尝试生成新证书并选择旧版CAPI CSP来存储密钥材料。