如何配置“密钥材料"?在Identity Server 4中使用SQL，KeyVault或任何其他系统?

本文介绍了如何配置“密钥材料"?在Identity Server 4中使用SQL，KeyVault或任何其他系统?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

ID4的源代码要求我们配置用于生产的密钥材料".

The source code for ID4 asks us to "configure key material" for use in production.

我已使用以下Powershell脚本创建适合Identity Server 4的密钥.

I've used the following Powershell script to create keys suitable for Identity Server 4.

// (not necessary for this question, but others may find this useful)

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)][string]$password = "",
    [Parameter(Mandatory=$true)][string]$rootDomain = ""
)

#https://mcguirev10.com/2018/01/04/localhost-ssl-identityserver-certificates.html#identityserver-token-credentials
$cwd = Convert-Path .
$sCerFile = "$cwd\token_signing.cer"
$sPfxFile = "$cwd\token_signing.pfx"
$vCerFile = "$cwd\token_validation.cer"
$vPfxFile = "$cwd\token_validation.pfx"

# abort if files exist
if((Test-Path($sPfxFile)) -or (Test-Path($sCerFile)) -or (Test-Path($vPfxFile)) -or (Test-Path($vCerFile)))
{
    Write-Warning "Failed, token_signing or token_validation files already exist in current directory."
    Exit
}

function Get-NewCert ([string]$name)
{
    New-SelfSignedCertificate `
        -Subject $rootDomain `
        -DnsName $rootDomain `
        -FriendlyName $name `
        -NotBefore (Get-Date) `
        -NotAfter (Get-Date).AddYears(10) `
        -CertStoreLocation "cert:CurrentUser\My" `
        -KeyAlgorithm RSA `
        -KeyLength 4096 `
        -HashAlgorithm SHA256 `
        -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
        -Type Custom,DocumentEncryptionCert `
        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
}

$securePass = ConvertTo-SecureString -String $password -Force -AsPlainText

# token signing certificate
$cert = Get-NewCert("IdentityServer Token Signing Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $sPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $sCerFile
Write-Host "Token-signing thumbprint: " $cert.Thumbprint

# token validation certificate
$cert =  Get-NewCert("IdentityServer Token Validation Credentials")
$store = 'Cert:\CurrentUser\My\' + ($cert.ThumbPrint)  
Export-PfxCertificate -Cert $store -FilePath $vPfxFile -Password $securePass
Export-Certificate -Cert $store -FilePath $vCerFile
Write-Host "Token-validation thumbprint: " $cert.Thumbprint

是否有任何占位符的实现或示例实现，可以清楚地告诉我在哪里实现键获取功能，以及有关如何将其正确添加到Startup.cs中的说明?

Are there any implementations, or sample implementations, that have a placeholder to clearly tell me where to implement the key fetch function, and also instruction on how to add that into the Startup.cs correctly?

我仍在尝试了解ASP.NET Core启动/配置/Kestra配置过程，这就是我遇到的问题.

I'm still trying to understand the ASP.NET Core Startup/Configuration/Kestra configuration process, and this is where I'm getting stuck.

如何管理关键材料?
我应该覆盖哪个对象，以及如何配置ID4来使用它?

推荐答案

您可以使用IIdentityServerBuilder api配置签名密钥:

You can configure the signing key by using IIdentityServerBuilder api:

builder.AddSigningCredential(myKeyMaterial);

您已经获得了以下可用的重载:

You've got the below available overloads for this:

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, SigningCredentials credential)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, X509Certificate2 certificate)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, string name, StoreLocation location = StoreLocation.LocalMachine, NameType nameType = NameType.SubjectDistinguishedName)

public static IIdentityServerBuilder AddSigningCredential(this IIdentityServerBuilder builder, RsaSecurityKey rsaKey)

这是我的一个项目中的一个示例，该项目使用X509证书(按主题名称来自本地计算机证书存储):

Here is an example from one of my projects using the X509 certificate by subject name from local machine certificate store:

    private static void AddCertificateFromStore(this IIdentityServerBuilder builder,
        IConfiguration options)
    {
        var subjectName = options.GetValue<string>("SubjectName");

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var certificates = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);

        if (certificates.Count > 0)
        {
            builder.AddSigningCredential(certificates[0]);
        }
        else
            Log.Error("A matching key couldn't be found in the store");
    }

使用这种扩展方法，您可以按以下方式使用它(我喜欢使用托管环境来确定是添加开发人员默认签名凭证还是生产凭证):

With such extension method, you can use it as per below (I like to use hosting environment to determine whether to add developer default signing credentials or production credentials):

        if (environment.IsDevelopment())
        {
            identityServerBuilder.AddDeveloperSigningCredential();
        }
        else
        {
            identityServerBuilder.AddCertificateFromStore(configuration);
        }

这篇关于如何配置“密钥材料"?在Identity Server 4中使用SQL，KeyVault或任何其他系统?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！