开发者

Why encrypting Web.config file works without supplying a keyContainerName?

So using the aspnet_regiis.exe util I have done the following

//Create the container
aspnet_regiis -pc MyRSAKey -exp

//Write key to file
aspnet_regiis -px MyRSAKey MyRSAKey.xml

//Install the key into a machine-level RSA key provider.
aspnet_regiis -pi MyRSAKey MyRSAKey.xml

//Grant access to the contrainer
aspnet_regiis -pa "MyRSAKey" "NT Authority\Network service"

Now I thought that to use this key I needed to add this to the web.config file

<configProtectedData defaultProvider="MyProviderName">
<providers>
  <add
    name="MyProviderName" 
    type="System.Configuration.RsaProtectedConfigurationProvider,  System.Configurat开发者_JS百科ion, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"           
    keyContainerName="MyRSAKey"
    useMachineContainer="true" />
</providers>

Now when I run this command it works:

aspnet_regiis -pef "sectiomName" "pathToConfigFile" -prov "MyProviderName"

The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

Also visual studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?


To tackle the two questions out of order:

Visual Studio 2010 doesn't even recognise keyContainerName (or useMachineContainer) saying that the 'keyContainerName' name is not allowed.

What's going on here?

I haven't decompiled the relevant configuration section class to check, but I observe that RsaProtectedConfigurationProvider has properties KeyContainerName and UseMachineContainer, so it seems to be that a) when parsing a providers/add element it uses reflection to set corresponding fields on the instance of type; and b) whoever wrote the XML schema which VS2010 uses to validate .config files forgot an <xsd:anyAttribute> tag.

(FWIW this question is what I was hoping to answer when I discovered your question, which ranks highly in Google for keycontainername attribute is not allowed).


The thing is that it works no matter what value I have for keyContainerName. Or even when I take keyContainerName out of the config file completely it still works suggesting that it's not actually using the key I generated and installed.

When you say "it works", I think you mean that aspnet_regiis -pef doesn't give an error. However, if you try to access the protected configuration section in your code I bet it will complain unless you used the correct keyContainerName.

I suspect that if the name doesn't correspond to a known key container it creates a new one, but I haven't attempted to verify this.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜