c# - 来自 KeyVaultKeyResolver 的 Azure rsaKey 始终为 null

Question

我正在通过 MVC/Durandal Web 应用程序将身份文档保存到 Azure Blob 存储。我正在关注this使用 Azure key 保管库来存储加密 key 来加密 Azure 存储中的 blob 的示例。

这是我的代码:

    public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
    {
        BlobRequestOptions options = await GetBlobRequestOptions();
        await
            _storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
        return fileName;
    }


    private static async Task GetBlobRequestOptions()
    {
        string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
        string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
    *1  KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);

    *2  IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
        BlobRequestOptions options = new BlobRequestOptions
        {
            EncryptionPolicy = policy
        };
        return options;
    }


     public static async Task GetAccessToken(string authority, string resource, string scope)
    {
        string clientId = WebConfigurationManager.AppSettings["ClientId"];
        string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
        ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
        AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
        if (result == null)
        {
            throw new InvalidOperationException(
                "GetAccessToken - Failed to obtain the Active Directory token for application.");
        }
    *3  return result.AccessToken;
    }


    public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
        byte[] byteArray, string contentType, BlobRequestOptions options)
    {
        CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
        CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
        blob.Properties.ContentType = contentType;
        await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
    }

这一行...

    IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();

始终返回 null。

我在上面的代码中添加了断点(*1 到 *3)，并注意到 *2 总是在 *3 之前被命中。这意味着 KeyVaultKeyResolver(GetAccessToken) 调用不会等待 GetAccessToken 调用返回值。

关于我做错了什么有什么想法吗？

Answer 1

我发现自己做错了什么

断点2在哪里我应该使用这段代码:

SymmetricKey sec = (SymmetricKey) cloudResolver
            .ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
                CancellationToken.None)
            .GetAwaiter()
            .GetResult();

I also had to add the secret to my Azure Key Vault using PowerShell. Creating the secret via the management UI did not work. Here are the commands I used:

Sorry for image but SO would not accept the above text even when pasted as a code sample.

See this site for the original example.

I found a way to add the secret via the Azure portal:

    //If entering via Azure UI:
    //Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
    // Base64 encode using https://www.base64encode.org/
    //Take this encoded value and enter it as the secret value in the UI.