CryptographyClient 解密抛出 'Key does not exist' 异常
CryptographyClient Decrypt throws 'Key does not exist' exception
我正在尝试使用 Azure Key Vault SDK Microsoft docs 示例 encrypt/decrypt 文本。
我通过 Azure 门户手动创建了密钥。加密部分成功,但解密抛出 'Key does not exist' 异常。我不明白为什么,因为密钥存在,它有 decrypt 作为允许的操作,我可以在 VS 中确认调试模式(KeyVaultKey -> KeyOperations 列出 'Decrypt' ).
这是完整代码:
static void Main(string[] args)
{
var keyVaultKeyIdentifier = new KeyVaultKeyIdentifier(new Uri("key-url"));
var keyClient = new KeyClient(keyVaultKeyIdentifier.VaultUri, new DefaultAzureCredential());
var keyVaultKey = keyClient.GetKey(keyVaultKeyIdentifier.Name).Value;
var cryptoClient = new CryptographyClient(keyVaultKey.Key);
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
// encrypt the data using the algorithm RSAOAEP
EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
// decrypt the encrypted data.
// **Exception is thrown on this line**
DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
}
作为异常堆栈跟踪的参考:
at System.Security.Cryptography.RSAImplementation.RSACng.EncryptOrDecrypt(SafeNCryptKeyHandle key, ReadOnlySpan`1 input, AsymmetricPaddingMode paddingMode, Void* paddingInfo, Boolean encrypt)
at System.Security.Cryptography.RSAImplementation.RSACng.EncryptOrDecrypt(Byte[] data, RSAEncryptionPadding padding, Boolean encrypt)
at System.Security.Cryptography.RSAImplementation.RSACng.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at Azure.Security.KeyVault.Keys.Cryptography.RsaCryptographyProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at Azure.Security.KeyVault.Keys.Cryptography.RsaCryptographyProvider.Decrypt(DecryptParameters parameters, CancellationToken cancellationToken)
at Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Decrypt(DecryptParameters decryptParameters, CancellationToken cancellationToken)
at Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Decrypt(EncryptionAlgorithm algorithm, Byte[] ciphertext, CancellationToken cancellationToken)
at DotNetFiveCrypto.Program.Main(String[] args) in C:\Users\mike\Documents\Visual Studio 2019\Projects\DotNetFiveCrypto\Program.cs:line 32
我在 Windows10 上使用 .NET 5,引用的 SDK 包:
<PackageReference Include="Azure.Identity" Version="1.4.1" />
<PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />
您正在使用密钥的 public 部分实例化 CryptographyClient - 因此 SDK 创建了一个本地客户端,它只能进行加密。
由于 Key Vault 永远不会公开私有部分,因此您需要使用密钥的 ID 来实例化 CryptographyClient,以便它创建一个将加密和解密委托给 [=13] 的远程客户端=].
修复如下:
static void Main(string[] args)
{
var keyVaultKeyIdentifier = new KeyVaultKeyIdentifier(new Uri("key-url"));
var credential = new DefaultAzureCredential();
var keyClient = new KeyClient(keyVaultKeyIdentifier.VaultUri, credential);
var keyVaultKey = keyClient.GetKey(keyVaultKeyIdentifier.Name).Value;
var cryptoClient = new CryptographyClient(keyVaultKey.Id, credential);
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
}
Here's an additional encryption/decryption sample and here the source code 在本地和远程客户端之间切换。
我不知道所讨论的用例,但您可以构建本地加密客户端进行加密(更快)并使用远程客户端进行解密(更慢)。
我正在尝试使用 Azure Key Vault SDK Microsoft docs 示例 encrypt/decrypt 文本。
我通过 Azure 门户手动创建了密钥。加密部分成功,但解密抛出 'Key does not exist' 异常。我不明白为什么,因为密钥存在,它有 decrypt 作为允许的操作,我可以在 VS 中确认调试模式(KeyVaultKey -> KeyOperations 列出 'Decrypt' ).
这是完整代码:
static void Main(string[] args)
{
var keyVaultKeyIdentifier = new KeyVaultKeyIdentifier(new Uri("key-url"));
var keyClient = new KeyClient(keyVaultKeyIdentifier.VaultUri, new DefaultAzureCredential());
var keyVaultKey = keyClient.GetKey(keyVaultKeyIdentifier.Name).Value;
var cryptoClient = new CryptographyClient(keyVaultKey.Key);
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
// encrypt the data using the algorithm RSAOAEP
EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
// decrypt the encrypted data.
// **Exception is thrown on this line**
DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
}
作为异常堆栈跟踪的参考:
at System.Security.Cryptography.RSAImplementation.RSACng.EncryptOrDecrypt(SafeNCryptKeyHandle key, ReadOnlySpan`1 input, AsymmetricPaddingMode paddingMode, Void* paddingInfo, Boolean encrypt)
at System.Security.Cryptography.RSAImplementation.RSACng.EncryptOrDecrypt(Byte[] data, RSAEncryptionPadding padding, Boolean encrypt)
at System.Security.Cryptography.RSAImplementation.RSACng.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at Azure.Security.KeyVault.Keys.Cryptography.RsaCryptographyProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at Azure.Security.KeyVault.Keys.Cryptography.RsaCryptographyProvider.Decrypt(DecryptParameters parameters, CancellationToken cancellationToken)
at Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Decrypt(DecryptParameters decryptParameters, CancellationToken cancellationToken)
at Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Decrypt(EncryptionAlgorithm algorithm, Byte[] ciphertext, CancellationToken cancellationToken)
at DotNetFiveCrypto.Program.Main(String[] args) in C:\Users\mike\Documents\Visual Studio 2019\Projects\DotNetFiveCrypto\Program.cs:line 32
我在 Windows10 上使用 .NET 5,引用的 SDK 包:
<PackageReference Include="Azure.Identity" Version="1.4.1" />
<PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />
您正在使用密钥的 public 部分实例化 CryptographyClient - 因此 SDK 创建了一个本地客户端,它只能进行加密。
由于 Key Vault 永远不会公开私有部分,因此您需要使用密钥的 ID 来实例化 CryptographyClient,以便它创建一个将加密和解密委托给 [=13] 的远程客户端=].
修复如下:
static void Main(string[] args)
{
var keyVaultKeyIdentifier = new KeyVaultKeyIdentifier(new Uri("key-url"));
var credential = new DefaultAzureCredential();
var keyClient = new KeyClient(keyVaultKeyIdentifier.VaultUri, credential);
var keyVaultKey = keyClient.GetKey(keyVaultKeyIdentifier.Name).Value;
var cryptoClient = new CryptographyClient(keyVaultKey.Id, credential);
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
}
Here's an additional encryption/decryption sample and here the source code 在本地和远程客户端之间切换。
我不知道所讨论的用例,但您可以构建本地加密客户端进行加密(更快)并使用远程客户端进行解密(更慢)。