.NetCore分布式部署中的DataProtection密钥安全性

namespace Microsoft.AspNetCore.DataProtection{ ???/// <summary> ???/// Extensions for configuring data protection using an <see cref="IDataProtectionBuilder"/>. ???/// </summary> ???public static class DataProtectionBuilderExtensions ???{ ???????/// <summary> ???????/// Configures keys to be encrypted with AES before being persisted to ???????/// storage. ???????/// </summary> ???????/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> ???????/// use on the local machine, ‘false‘ if the key should only be decryptable by the current ???????/// Windows user account.</param> ???????/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> ???????public static IDataProtectionBuilder ProtectKeysWithAES(this IDataProtectionBuilder builder) ???????{ ???????????if (builder == null) ???????????{ ???????????????throw new ArgumentNullException(nameof(builder)); ???????????} ???????????builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services => ???????????{ ???????????????//var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance; ???????????????return new ConfigureOptions<KeyManagementOptions>(options => ???????????????{ ???????????????????options.XmlEncryptor = new AesXmlEncryptor(); ???????????????}); ???????????}); ???????????return builder; ???????} ???} ???/// <summary> ???/// An <see cref="IXmlEncryptor"/> that encrypts XML elements with a Aes encryptor. ???/// </summary> ???sealed class AesXmlEncryptor : IXmlEncryptor ???{ ???????/// <summary> ???????/// Encrypts the specified <see cref="XElement"/> with a null encryptor, i.e., ???????/// by returning the original value of <paramref name="plaintextElement"/> unencrypted. ???????/// </summary> ???????/// <param name="plaintextElement">The plaintext to echo back.</param> ???????/// <returns> ???????/// An <see cref="EncryptedXmlInfo"/> that contains the null-encrypted value of ???????/// <paramref name="plaintextElement"/> along with information about how to ???????/// decrypt it. ???????/// </returns> ???????public EncryptedXmlInfo Encrypt(XElement plaintextElement) ???????{ ???????????if (plaintextElement == null) ???????????{ ???????????????throw new ArgumentNullException(nameof(plaintextElement)); ???????????} ???????????// <encryptedKey> ???????????// ??<!-- This key is encrypted with {provider}. --> ???????????// ??<value>{base64}</value> ???????????// </encryptedKey> ???????????var Jsonxmlstr =JsonConvert.SerializeObject(plaintextElement); ???????????var EncryptedData = EncryptHelper.AESEncrypt(Jsonxmlstr, "b587be32-0420-4eb1-89c6-01bb999e18fe"); ???????????var newElement = new XElement("encryptedKey", ???????????????new XComment(" This key is encrypted with AES."), ???????????????new XElement("value",EncryptedData)); ???????????return new EncryptedXmlInfo(newElement, typeof(AesXmlDecryptor)); ???????} ???} ???/// <summary> ???/// An <see cref="IXmlDecryptor"/> that decrypts XML elements with a Aes decryptor. ???/// </summary> ???sealed class AesXmlDecryptor : IXmlDecryptor ???{ ???????/// <summary> ???????/// Decrypts the specified XML element. ???????/// </summary> ???????/// <param name="encryptedElement">An encrypted XML element.</param> ???????/// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns> ???????public XElement Decrypt(XElement encryptedElement) ???????{ ???????????if (encryptedElement == null) ???????????{ ???????????????throw new ArgumentNullException(nameof(encryptedElement)); ???????????} ???????????// <encryptedKey> ???????????// ??<!-- This key is encrypted with {provider}. --> ???????????// ??<value>{base64}</value> ???????????// </encryptedKey> ???????????var EncryptedData=(string)encryptedElement.Element("value"); ???????????var Jsonxmlstr = EncryptHelper.AESDecrypt(EncryptedData, "b587be32-0420-4eb1-89c6-01bb999e18fe"); ???????????// Return a clone of the single child node. ???????????return JsonConvert.DeserializeObject<XElement>(Jsonxmlstr); ???????} ???} ???#region AES ???public class EncryptHelper ???{ ???????static readonly byte[] AES_IV = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF }; ???????/// <summary> ???????/// AES加密算法 ???????/// </summary> ???????/// <param name="encryptString">加密前字符串</param> ???????/// <param name="keytype">秘钥</param> ???????/// <returns></returns> ???????public static string AESEncrypt(string encryptString, string encryptKey) ???????{ ???????????if (string.IsNullOrWhiteSpace(encryptString)) return null; ???????????if (string.IsNullOrWhiteSpace(encryptKey)) return null; ???????????encryptKey = encryptKey.PadRight(32, ‘ ‘); ???????????byte[] keyBytes = Encoding.UTF8.GetBytes(encryptKey.Substring(0, 32)); ???????????using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) ???????????{ ???????????????aesAlg.Key = keyBytes; ???????????????aesAlg.IV = AES_IV; ???????????????ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV); ???????????????using (MemoryStream msEncrypt = new MemoryStream()) ???????????????{ ???????????????????using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write)) ???????????????????{ ???????????????????????using (StreamWriter swEncrypt = new StreamWriter(csEncrypt)) ???????????????????????{ ???????????????????????????swEncrypt.Write(encryptString); ???????????????????????} ???????????????????????byte[] bytes = msEncrypt.ToArray(); ???????????????????????return Convert.ToBase64String(bytes).Replace(‘+‘, ‘-‘).Replace(‘/‘, ‘_‘); ???????????????????} ???????????????} ???????????} ???????} ???????/// <summary> ???????/// AES解密算法 ???????/// </summary> ???????/// <param name="decryptString">解密前的字符串</param> ???????/// <param name="keytype">秘钥</param> ???????/// <returns></returns> ???????public static string AESDecrypt(string decryptString, string decryptKey) ???????{ ???????????if (string.IsNullOrWhiteSpace(decryptString)) return null; ???????????decryptString = decryptString.Replace(‘-‘, ‘+‘).Replace(‘_‘, ‘/‘); ???????????if (string.IsNullOrWhiteSpace(decryptKey)) return null; ???????????decryptKey = decryptKey.PadRight(32, ‘ ‘); ???????????byte[] keyBytes = Encoding.UTF8.GetBytes(decryptKey.Substring(0, 32)); ???????????Byte[] inputBytes = Convert.FromBase64String(decryptString); ???????????using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) ???????????{ ???????????????aesAlg.Key = keyBytes; ???????????????aesAlg.IV = AES_IV; ???????????????ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); ???????????????using (MemoryStream msEncrypt = new MemoryStream(inputBytes)) ???????????????{ ???????????????????using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, decryptor, CryptoStreamMode.Read)) ???????????????????{ ???????????????????????using (StreamReader srEncrypt = new StreamReader(csEncrypt)) ???????????????????????{ ???????????????????????????return srEncrypt.ReadToEnd(); ???????????????????????} ???????????????????} ???????????????} ???????????} ???????} ???} ???#endregion}