我们正在尝试将 IdentityServer3 实例从针对 .NET Framework 4.5 升级到 4.7,但在运行时偶然发现以下异常。
该错误似乎是由于缺少 OWIN Middleware 应该创建的 cookie 而发生的,尽管我们并不完全确定。
System.InvalidOperationException: ID6041: The provided RSA key is invalid.
at System.IdentityModel.RsaEncryptionCookieTransform.Encode(Byte[] value)
at IdentityServer3.Core.Configuration.X509CertificateDataProtector.Protect(Byte[] data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\X509CertificateDataProtector.cs:line 48
at IdentityServer3.Core.Extensions.IDataProtectorExtensions.Protect(IDataProtector protector, String data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\IDataProtectorExtensions.cs:line 38
at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(IDataProtector protector, TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 73
at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 118
at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Write(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 142
at IdentityServer3.Core.Extensions.OwinEnvironmentExtensions.CreateSignInRequest(IDictionary`2 env, SignInMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\OwinEnvironmentExtensions.cs:line 138
at IdentityServer3.Core.Results.LoginResult.Execute() in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 57
at IdentityServer3.Core.Results.LoginResult.ExecuteAsync(CancellationToken cancellationToken) in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 48
at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext() in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\ClientListCookie.cs:line
我知道这个问题是 5 年前提出的。回答,以防其他人遇到它。
当我们在 web.config 中将 httpRuntime targetFramework 从 4.6 更改为 4.8 时,我们注意到了这个问题。
将以下内容添加到您的 web.config 中:
<configuration>
<appSettings>
<add key="AppContext.SetSwitch:Switch.System.IdentityModel.DisableCngCertificates" value="true" />
</appSettings>
</configuration>
此异常是从 RsaEncryptionCookieTransform.Encode 方法抛出的:
RSACryptoServiceProvider provider = encryptionKey as RSACryptoServiceProvider;
if ( provider == null )
{
throw DiagnosticUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID6041 ) );
}
第72行此类调用X509Util.EnsureAndGetPrivateRSAKey,当DisableCngCertificates为false时,它调用CngLightup.GetRSAPrivateKey。
CngLightup.GetRSAPrivateKey 创建RCACng,它派生自 RSA,但不是 RSACryptoServiceProvider
谢谢,
--弗拉基米尔