我有代码从 appsettings.json 文件加载 X509 证书以及密码(base64 编码的 pfx 文件),如下所示:
public static X509Certificate2 LoadSsoCertificate(IConfiguration config)
{
//this should be a self-signed PFX certificate with the private key included.
var certificateText = config["SSO:x509Certificate"];
//this should be the password to open/ read the certificate.
var certificatePassword = config["SSO:SecretKeyPassphrase"];
var certificateBytes = Convert.FromBase64String(certificateText);
var cert = new X509Certificate2(certificateBytes, certificatePassword);
return cert;
}
这在本地测试时工作正常,但是当我部署到 Azure 应用服务时,我遇到了这个令人困惑的异常:
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password)
at MyCompany.AuthenticationServices.Core.Configuration.SingleSignOn.LoadSsoCertificate(IConfiguration config) in d:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\SingleSignOn.cs:line 43
at MyCompany.AuthenticationServices.Core.Configuration.ConfigureMultiTenantSaml2Options.Configure(Saml2Options options) in d:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\ConfigureMultiTenantSaml2Options.cs:line 51
at MyCompany.AuthenticationServices.Core.Configuration.ConfigureMultiTenantSaml2Options.Configure(String name, Saml2Options options) in d:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\ConfigureMultiTenantSaml2Options.cs:line 78
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.<>c__DisplayClass6_0.<InitializeAsync>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
at System.Lazy`1.CreateValue()
at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.InitializeAsync(AuthenticationScheme scheme, HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at MyCompany.SoaToolkit.LoggingContext.AspNetCore.Middleware.Configuration.<>c.<<UseLoggingContextRequests>b__0_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
它说指定的“网络”密码不正确,但它与本地工作的密码相同,所以我无法想象问题实际上是密码,并且它也不应该尝试使用“网络” 。任何人都可以阐明这里的问题是什么,并就如何使这个相对简单的代码工作提供建议吗?
更新
根据@Crypt32的评论,我直接在Azure中创建了一个新证书,并将其作为PFX保存到我的本地桌面,然后对其进行Base64编码并将其硬塞到我的appsettings文件中。同样,这在本地运行良好,但当我部署到 Azure 时,我遇到了类似但同样令人困惑的异常:
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified
at Internal.Cryptography.Pal.StorePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
at MyCompany.AuthenticationServices.Core.Configuration.SingleSignOn.LoadSsoCertificate(IConfiguration config) in D:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\SingleSignOn.cs:line 40
at MyCompany.AuthenticationServices.Core.Configuration.ConfigureMultiTenantSaml2Options.Configure(Saml2Options options) in D:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\ConfigureMultiTenantSaml2Options.cs:line 51
at MyCompany.AuthenticationServices.Core.Configuration.ConfigureMultiTenantSaml2Options.Configure(String name, Saml2Options options) in D:\a\1\s\MyCompany.AuthenticationServices.Core\Configuration\ConfigureMultiTenantSaml2Options.cs:line 78
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.<>c__DisplayClass6_0.<InitializeAsync>b__0()
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
at System.Lazy`1.CreateValue()
at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.InitializeAsync(AuthenticationScheme scheme, HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at MyCompany.SoaToolkit.LoggingContext.AspNetCore.Middleware.Configuration.<>c.<<UseLoggingContextRequests>b__0_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNetCore.Server.IISIntegration.IISMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
最佳答案
好吧,@Crypt32 让我走上了正确的道路,但这并不明显。
1) 该问题与密码无关。这与我使用 openssl 和 Windows 10 显然支持的算法制作自签名证书有关……但 Azure 不支持。我在 Azure 上创建了一个新证书,效果很好。
2)我的 keystore 也有问题(这是关于找不到文件的错误),原因我不明白。 Azure 似乎无法弄清楚如何为应用程序服务创建服务帐户 keystore ,这让我大吃一惊。我切换到基于 blob 的 keystore (请参阅 here ),突然之间,事情似乎再次运行......或者至少,没有启动失败。
这个故事的寓意:X509 错误消息比毫无值(value)更糟糕。它会杀死 MS 发出实际描述问题的错误消息吗?希望这个答案能帮助其他人。
关于c# - 加载X509证书: Error in Azure,无法在本地重现,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58644446/