Skip to content
This repository was archived by the owner on Oct 17, 2018. It is now read-only.
This repository was archived by the owner on Oct 17, 2018. It is now read-only.

Unable to retrieve the decryption key when using X509 certificate to protect keys #286

@urbanhusky

Description

@urbanhusky

I am using .ProtectKeysWithCertificate(X509Certificate2) to protect the keys at rest with an X509 certificate. Creation and encryption of the initial key works fine - but it cannot be decrypted.
Subsequent restarts just add more keys that fail to decrypt.

AspNetCore.All v2.0.3

DPAPI configuration:

services.AddDbContext<DataProtectionDbContext>(
    opts =>
    {
        var dpapiMigrationsAssembly = typeof(DataProtectionDbContext).GetTypeInfo().Assembly.GetName().Name;
        opts.UseSqlServer(dpapiConnectionString, b => b.MigrationsAssembly(dpapiMigrationsAssembly));
    },
    ServiceLifetime.Transient); // I don't think that Scoped would be a good idea when the repository is most likely registered as a singleton

var intermittentBuilder = services.BuildServiceProvider();
services.AddDataProtection()
    .ProtectKeysWithCertificate(GetCertificate()) // GetCertificate() loads an X509Certificate2 from disk
    .AddKeyManagementOptions(options => options.XmlRepository = new SqlDatabaseXmlRepository(intermittentBuilder)) // custom IXmlRepository, needs to resolve DataProtectionDbContext hence passing IServiceProvider

Errors:

Microsoft.EntityFrameworkCore.Infrastructure:Information: Entity Framework Core 2.0.1-rtm-125 initialized 'DataProtectionDbContext' using provider 'Microsoft.EntityFrameworkCore.SqlServer' with options: MigrationsAssembly=Senseforce.Authentication.Web 
Microsoft.EntityFrameworkCore.Database.Command:Information: Executed DbCommand (5ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
SELECT [k].[XmlData]
FROM [dpapi].[DataProtectionKeys] AS [k]
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Information: Creating key {1f208812-c07e-4c45-b231-ab7923ea4bbd} with creation date 2017-11-27 12:55:08Z, activation date 2017-11-27 12:55:08Z, and expiration date 2018-02-25 12:55:08Z.
Microsoft.EntityFrameworkCore.Infrastructure:Information: Entity Framework Core 2.0.1-rtm-125 initialized 'DataProtectionDbContext' using provider 'Microsoft.EntityFrameworkCore.SqlServer' with options: MigrationsAssembly=Senseforce.Authentication.Web 
Microsoft.EntityFrameworkCore.Database.Command:Information: Executed DbCommand (24ms) [Parameters=[@__friendlyName_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30']
SELECT TOP(2) [k].[FriendlyName], [k].[XmlData]
FROM [dpapi].[DataProtectionKeys] AS [k]
WHERE [k].[FriendlyName] = @__friendlyName_0
Microsoft.EntityFrameworkCore.Database.Command:Information: Executed DbCommand (1ms) [Parameters=[@p0='?' (Size = 450), @p1='?' (Size = -1)], CommandType='Text', CommandTimeout='30']
SET NOCOUNT ON;
INSERT INTO [dpapi].[DataProtectionKeys] ([FriendlyName], [XmlData])
VALUES (@p0, @p1);
Microsoft.EntityFrameworkCore.Infrastructure:Information: Entity Framework Core 2.0.1-rtm-125 initialized 'DataProtectionDbContext' using provider 'Microsoft.EntityFrameworkCore.SqlServer' with options: MigrationsAssembly=Senseforce.Authentication.Web 
Microsoft.EntityFrameworkCore.Database.Command:Information: Executed DbCommand (0ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
SELECT [k].[XmlData]
FROM [dpapi].[DataProtectionKeys] AS [k]
Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager:Error: An exception occurred while processing the key element '<key id="1f208812-c07e-4c45-b231-ab7923ea4bbd" version="1" />'.

System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver:Warning: Key {1f208812-c07e-4c45-b231-ab7923ea4bbd} is ineligible to be the default key because its CreateEncryptor method failed.

System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)
Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver:Warning: Key {1f208812-c07e-4c45-b231-ab7923ea4bbd} is ineligible to be the default key because its CreateEncryptor method failed.

System.Security.Cryptography.CryptographicException: Unable to retrieve the decryption key.
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Lazy`1.CreateValue()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions