ProtectedConfigurationProvider使用Rsa和x509證書

Question

我對此很陌生，所以請耐心等待。我試圖加密/解密使用RsaProtectedConfigurationProvider一個的.config部分

請糾正我，如果我錯了，但我一直在讀什麼，我需要做到以下幾點：

1. 獲得證書，並從該證書

   X509Certificate2 cert = new X509Certificate2(pathToCert, "password"); 
   RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider; 
   

2. 加載此信息，以集裝箱公鑰： 不知道如何做到這一點作爲樣本下方不佔證書小號

http://msdn.microsoft.com/en-us/library/tswxhw92(en-us,VS.80).aspx

// Create the CspParameters object and set the key container 
    // name used to store the RSA key pair. 
    CspParameters cp = new CspParameters(); 
    cp.KeyContainerName = "MySuperAwesomeKeyContainer"; 

    // Create a new instance of RSACryptoServiceProvider that accesses 
    // the key container MyKeyContainerName. 
    RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp); 

1. 然後在我的App.Config中指定的同一容器名稱：

<configProtectedData> 
<providers> 
<clear/> 
    <add name="MyProvider" 
    type="System.Configuration.RsaProtectedConfigurationProvider" 
    keyContainerName="MySuperAwesomeKeyContainer" 
    useMachineContainer="true" /> 
</providers> 
</configProtectedData> 

1. 然後只需運行該代碼將使用KeyContainer和加密/解密：

.... 
string provider = "MyProvider"; 
// Protect the section. 
connStrings.SectionInformation.ProtectSection(provider); 

這是正確的？如果是這樣，我會怎麼做？不知道如何從證書中獲取這些密鑰並將它們加載到KeyContainer中。

感謝

Answer 1

我做了這樣的：

提供者實現：

public class X509ProtectedConfigProvider : ProtectedConfigurationProvider 
{ 
    #region Fields 

    private X509Certificate2 cert; 

    #endregion 

    // Performs provider initialization. 
    #region Public Methods and Operators 

    public override XmlNode Decrypt(XmlNode encryptedNode) 
    { 
     // Load config section to encrypt into xmlDocument instance 
     XmlDocument doc = encryptedNode.OwnerDocument; 
     EncryptedXml eXml = new EncryptedXml(doc); 

     eXml.DecryptDocument(); 
     return doc.DocumentElement; 
    } 

    public override XmlNode Encrypt(XmlNode node) 
    { 
     // Load config section to encrypt into xmlDocument instance 
     XmlDocument doc = new XmlDocument { PreserveWhitespace = true }; 
     doc.LoadXml(node.OuterXml); 

     // Encrypt it 
     EncryptedXml eXml = new EncryptedXml(); 
     EncryptedData eData = eXml.Encrypt(doc.DocumentElement, this.cert); 
     return eData.GetXml(); 
    } 

    public override void Initialize(string name, NameValueCollection config) 
    { 
     base.Initialize(name, config); 

     string certSubjectDistName = config["CertSubjectDistinguishedName"]; 
     string certStoreName = config["CertStoreName"]; 

     X509Store certStore = !string.IsNullOrEmpty(certStoreName) ? new X509Store(certStoreName, StoreLocation.LocalMachine) : new X509Store(StoreLocation.LocalMachine); 

     try 
     { 
      certStore.Open(OpenFlags.ReadOnly); 
      X509Certificate2Collection certs = certStore.Certificates.Find(
       X509FindType.FindBySubjectName, certSubjectDistName, true); 

      this.cert = certs.Count > 0 ? certs[0] : null; 
     } 
     finally 
     { 
      certStore.Close(); 
     } 
    } 

    #endregion 
} 

Helper類：

public static class Crypto 
    { 
     // Protect the connectionStrings section. 
     #region Public Methods and Operators 

     public static bool ProtectConfiguration(string path) 
     { 
      string provider = "X509ProtectedConfigProvider"; 

      // Get the application configuration file. 
      Configuration config = ConfigurationManager.OpenExeConfiguration(path); 

      // Get the section to protect. 
      ConfigurationSection connStrings = config.ConnectionStrings; 

      if (connStrings != null) 
      { 
       if (!connStrings.SectionInformation.IsProtected) 
       { 
        if (!connStrings.ElementInformation.IsLocked) 
        { 
         // Protect the section. 
         connStrings.SectionInformation.ProtectSection(provider); 

         connStrings.SectionInformation.ForceSave = true; 
         config.Save(ConfigurationSaveMode.Full); 

         return true; 
        } 

        return false; 
       } 

       return true; 
      } 

      return false; 
     } 

     // Unprotect the connectionStrings section. 
     public static void UnProtectConfiguration(string path) 
     { 
      // Get the application configuration file. 
      Configuration config = ConfigurationManager.OpenExeConfiguration(path); 

      // Get the section to unprotect. 
      ConfigurationSection connStrings = config.ConnectionStrings; 

      if (connStrings != null) 
      { 
       if (connStrings.SectionInformation.IsProtected) 
       { 
        if (!connStrings.ElementInformation.IsLocked) 
        { 
         // Unprotect the section. 
         connStrings.SectionInformation.UnprotectSection(); 

         connStrings.SectionInformation.ForceSave = true; 
         config.Save(ConfigurationSaveMode.Full); 
        } 
       } 
      } 
     } 

     #endregion 
    } 
} 

App.Config中（注意configProtectedData）：

<?xml version="1.0"?> 
<configuration> 
    <configSections> 
    <section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/> 
    </configSections> 
    <connectionStrings> 
    <add name="MyDbConnStr" providerName="System.Data.SqlClient" connectionString="Data Source=localhost;Initial Catalog=MyDb;Integrated Security=True;"/> 
    </connectionStrings> 
    <appSettings> 
    <add key="SiteName" value="MyAwesomeSite"/> 
    </appSettings> 
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup> 
    <configProtectedData> 
     <providers> 
      <add CertSubjectDistinguishedName="localhost" CertStoreName="MyCertKeyStore" name="X509ProtectedConfigProvider" type="ProtectedConfigProvider.X509ProtectedConfigProvider, X509ProtectedConfigProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=098027505e2ed139" /> 
     </providers> 
    </configProtectedData> 
</configuration> 

計劃（用法）：

...

ProtectConfiguration("mysuperawesomeapp.exe); 

DatabaseFactory.SetDatabaseProviderFactory(new DatabaseProviderFactory()); 
Database db = DatabaseFactory.CreateDatabase("MyDbConnStr"); 

從數據庫中讀取正常工作與加密應用程序配置 「的ConnectionStrings」 一節。:)

Answer 2

你會發現這裏的步驟：Walkthrough: Creating and Exporting an RSA Key Container。您不需要證書，您可以直接生成密鑰容器。

如果您正在加密自定義配置部分，有一個技巧可以使其工作：您必須刪除configSection的聲明。我在這裏博客的細節：How to encrypt a custom configuration section in ASP.NET。