Why encrypting Web.config file works without supplying a keyContainerName?
So using the aspnet_regiis.exe util I have done the following
//Create the container
aspnet_regiis -pc MyRSAKey -exp
//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml
//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml
//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"
Now I thought that to use this key I needed to add this to the web.config file
<configProtectedData defaultProvider="MyProviderName">
<providers>
<add
name="MyProviderName"
type="System.Configuration.RsaProtectedConfigurationProvider, System.Configurat开发者_JS百科ion, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
keyContainerName="MyRSAKey"
useMachineContainer="true" />
</providers>
Now when I run this command it works:
aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"
The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.
Also visual studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.
What's going on here?
To tackle the two questions out of order:
Visual Studio 2010 doesn't even recognise
keyContainerName
(oruseMachineContainer
) saying that the 'keyContainerName' name is not allowed.What's going on here?
I haven't decompiled the relevant configuration section class to check, but I observe that RsaProtectedConfigurationProvider
has properties KeyContainerName
and UseMachineContainer
, so it seems to be that a) when parsing a providers/add
element it uses reflection to set corresponding fields on the instance of type
; and b) whoever wrote the XML schema which VS2010 uses to validate .config
files forgot an <xsd:anyAttribute>
tag.
(FWIW this question is what I was hoping to answer when I discovered your question, which ranks highly in Google for keycontainername attribute is not allowed
).
The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.
When you say "it works", I think you mean that aspnet_regiis -pef
doesn't give an error. However, if you try to access the protected configuration section in your code I bet it will complain unless you used the correct keyContainerName
.
I suspect that if the name doesn't correspond to a known key container it creates a new one, but I haven't attempted to verify this.
精彩评论