11  

Mr. Curious was curious about getting the machine key as well. The properties on the MachineKeySection are no good, as they get zeroed-out after initialization, which happens before you can read them with reflection.

好奇先生也很想弄到机器钥匙。MachineKeySection上的属性不是很好，因为它们在初始化之后被调零，这发生在您可以使用反射读取它们之前。

After a bit of digging in the current 4.5 framework, turns out that the auto generated keys are stored in HttpApplication.s_autogenKeys byte array. The validation key is the first 64 bytes, followed by 24 bytes of the decryption key.

在当前的4.5框架中挖掘了一些之后，发现自动生成的键存储在HttpApplication中。s_autogenKeys字节数组。验证密钥是前64字节，后面是24字节的解密密钥。

If you are not opting in into the new crypto stuff in 4.5 framework, that is, you didn't set <httpRuntime targetFramework="4.5"> in your web.config (which is the case if you have an app you created with a previous version of the framework), then you get to the keys like this:

如果您没有选择使用4.5框架中的新crypto内容，也就是说，您没有在web中设置 。配置(如果你用之前版本的框架创建了一个应用程序)，那么你会得到如下的键:

        byte[] autogenKeys = (byte[])typeof(HttpRuntime).GetField("s_autogenKeys", BindingFlags.NonPublic | BindingFlags.Static).GetValue(null);

        int validationKeySize = 64;
        int decryptionKeySize = 24;

        byte[] validationKey = new byte[validationKeySize];
        byte[] decryptionKey = new byte[decryptionKeySize];

        Buffer.BlockCopy(autogenKeys, 0, validationKey, 0, validationKeySize);
        Buffer.BlockCopy(autogenKeys, validationKeySize, decryptionKey, 0, decryptionKeySize);

        // This is the IsolateApps bit, which is set for both keys
        int pathHash = StringComparer.InvariantCultureIgnoreCase.GetHashCode(HttpRuntime.AppDomainAppVirtualPath);
        validationKey[0] = (byte)(pathHash & 0xff);
        validationKey[1] = (byte)((pathHash & 0xff00) >> 8);
        validationKey[2] = (byte)((pathHash & 0xff0000) >> 16);
        validationKey[3] = (byte)((pathHash & 0xff000000) >> 24);

        decryptionKey[0] = (byte)(pathHash & 0xff);
        decryptionKey[1] = (byte)((pathHash & 0xff00) >> 8);
        decryptionKey[2] = (byte)((pathHash & 0xff0000) >> 16);
        decryptionKey[3] = (byte)((pathHash & 0xff000000) >> 24);

The default for both keys is AutoGenerate,IsolateApps; the IsolateApps bit requires that you copy the first four bytes of the application path hash to the beginning of the key.

这两个键的默认值是自动生成的，IsolateApps;隔离应用程序需要将应用程序路径散列的前四个字节复制到关键字的开头。

If you opted in into the cryptographic improvements in fx4.5, then you'll have to dig around the MachineKeyMasterKeyProvider to get the valid keys.

如果您选择了在fx4.5中进行加密改进，那么您必须在MachineKeyMasterKeyProvider中寻找有效的密钥。

Getting the Keys without the HttpApplication

The HttpApplication gets its keys by calling into a native method in webengine4.dll from SetAutogenKeys(). We can call into the DLL ourselves as well. All we need to know is our application path.

HttpApplication通过调用webengine4中的本机方法来获取其密钥。从SetAutogenKeys dll()。我们也可以自己调用DLL。我们需要知道的是我们的应用程序路径。

Let's say that we want to get the auto generated keys for the root application, "/".

假设我们想要为根应用程序“/”获取自动生成的键。

Using LinqPad:

使用LinqPad:

[DllImport(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll")]
internal static extern int EcbCallISAPI(IntPtr pECB, int iFunction, byte[] bufferIn, int sizeIn, byte[] bufferOut, int sizeOut);

void Main()
{
    string appPath = "/";
    byte[] genKeys = new byte[1024];
    byte[] autogenKeys = new byte[1024];

    int res = EcbCallISAPI(IntPtr.Zero, 4, genKeys, genKeys.Length, autogenKeys, autogenKeys.Length);

    if (res == 1) {
        // Same as above
        int validationKeySize = 64;
        int decryptionKeySize = 24;

        byte[] validationKey = new byte[validationKeySize];
        byte[] decryptionKey = new byte[decryptionKeySize];

        Buffer.BlockCopy(autogenKeys, 0, validationKey, 0, validationKeySize);
        Buffer.BlockCopy(autogenKeys, validationKeySize, decryptionKey, 0, decryptionKeySize);

        int pathHash = StringComparer.InvariantCultureIgnoreCase.GetHashCode(appPath);
        validationKey[0] = (byte)(pathHash & 0xff);
        validationKey[1] = (byte)((pathHash & 0xff00) >> 8);
        validationKey[2] = (byte)((pathHash & 0xff0000) >> 16);
        validationKey[3] = (byte)((pathHash & 0xff000000) >> 24);

        decryptionKey[0] = (byte)(pathHash & 0xff);
        decryptionKey[1] = (byte)((pathHash & 0xff00) >> 8);
        decryptionKey[2] = (byte)((pathHash & 0xff0000) >> 16);
        decryptionKey[3] = (byte)((pathHash & 0xff000000) >> 24);

        Console.WriteLine("DecryptionKey: {0}", decryptionKey.Aggregate(new StringBuilder(), (acc, c) => acc.AppendFormat("{0:x2}", c), acc => acc.ToString()));
        Console.WriteLine("ValidationKey: {0}", validationKey.Aggregate(new StringBuilder(), (acc, c) => acc.AppendFormat("{0:x2}", c), acc => acc.ToString()));
    }
}

Getting the keys from MachineKeyMasterKeyProvider

The keys for the new fx4.5 stuff are accessible by instantiating the MachineKeyMasterKeyProvider with the internal constructor, and then passing in autogenKeys byte array obtained as in the code above. The provider has methods GetEncryptionKey and GetValidationKey to get to actual keys.

通过使用内部构造函数实例化MachineKeyMasterKeyProvider，然后传入上面代码中获得的autogenKeys字节数组，可以访问新的fx4.5内容的键。提供者有方法GetEncryptionKey和GetValidationKey来获取实际的密钥。

4  

If you're using .NET 4, there's the MachineKey class. It doesn't give you raw access to the actual key, but it does provide methods for Encoding and Decoding the data using the same algorithms as the FormsAuthentication class, along with options for adding validation w/ an HMAC.

如果你正在使用。net 4，有一个MachineKey类。它不提供对实际密钥的原始访问，但它提供了使用与FormsAuthentication类相同的算法对数据进行编码和解码的方法，以及添加验证w/ an HMAC的选项。

2  

For .Net 4.5 here is the code

这里是。net 4.5的代码

//using System.Reflection
//using System.Web.Configuration

byte[] autogenKeys = (byte[])typeof(HttpRuntime).GetField("s_autogenKeys", BindingFlags.NonPublic | BindingFlags.Static).GetValue(null);

Type t = typeof(System.Web.Security.DefaultAuthenticationEventArgs).Assembly.GetType("System.Web.Security.Cryptography.MachineKeyMasterKeyProvider");
ConstructorInfo ctor = t.GetConstructors(BindingFlags.Instance | BindingFlags.NonPublic)[0];

Type ckey = typeof(System.Web.Security.DefaultAuthenticationEventArgs).Assembly.GetType("System.Web.Security.Cryptography.CryptographicKey");
ConstructorInfo ckeyCtor = ckey.GetConstructors(BindingFlags.Instance | BindingFlags.Public)[0];
Object ckeyobj = ckeyCtor.Invoke(new object[] { autogenKeys });
object o = ctor.Invoke(new object[] { new MachineKeySection(), null, null, ckeyobj, null });
var encKey = t.GetMethod("GetEncryptionKey").Invoke(o, null);
byte[] encBytes = ckey.GetMethod("GetKeyMaterial").Invoke(encKey, null) as byte[];
var vldKey = t.GetMethod("GetValidationKey").Invoke(o, null);
byte[] vldBytes = ckey.GetMethod("GetKeyMaterial").Invoke(vldKey, null) as byte[];
string decryptionKey = BitConverter.ToString(encBytes);
decryptionKey = decryptionKey.Replace("-", "");
string validationKey = BitConverter.ToString(vldBytes);
validationKey = validationKey.Replace("-", "");

1  

If the ASP.NET Forms Authentication provider can access it then have you tried looking at the provider source code? (I think this is the correct location, ScottGu's original blog post on the subject has had broken links since they updated MSDN)

如果ASP。NET表单验证提供程序可以访问它，那么您尝试查看提供程序源代码了吗?(我认为这是正确的位置，ScottGu关于这一主题的最初博客文章自从他们更新MSDN后就中断了链接)

1  

Thanks Mr. Curious,

由于好奇,先生

based on your pointers I got this:

根据你的指示，我得到了这个:

private byte[] _validationKey;
private byte[] _decryptionKey;

public static byte[] GetKey(object provider, string name)
{
  var validationKey = provider.GetType().GetMethod(name).Invoke(provider, new object[0]);
  return (byte[])validationKey.GetType().GetMethod("GetKeyMaterial").Invoke(validationKey, new object[0]);
}

protected override void OnLoad(EventArgs e)
{
    var machineKey = typeof(MachineKeySection).GetMethods(BindingFlags.Static | BindingFlags.NonPublic).Single(a => a.Name == "GetApplicationConfig").Invoke(null, new object[0]);

    var type = Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a").GetTypes().Single(a => a.Name == "MachineKeyMasterKeyProvider");

    var instance = type.Assembly.CreateInstance(
        type.FullName, false,
        BindingFlags.Instance | BindingFlags.NonPublic,
        null, new object[] { machineKey, null, null, null, null }, null, null);

    var validationKey = type.GetMethod("GetValidationKey").Invoke(instance, new object[0]);
    var key = (byte[])validationKey.GetType().GetMethod("GetKeyMaterial").Invoke(validationKey, new object[0]);


    _validationKey = GetKey(instance, "GetValidationKey");
    _decryptionKey = GetKey(instance, "GetEncryptionKey");
}

1  

Add the following config information to your web.config file. Make sure you replace information with your own information.

向web添加以下配置信息。配置文件。确保您用自己的信息替换了信息。

<system.web>
<machineKey validationKey="E4451576F51E0562D91A1748DF7AB3027FEF3C2CCAC46D756C833E1AF20C7BAEFFACF97C7081ADA4648918E0B56BF27D1699A6EB2D9B6967A562CAD14767F163" 
            decryptionKey="6159C46C9E288028ED26F5A65CED7317A83CB3485DE8C592" validation="HMACSHA256" decryption="AES" />
</system.web>

validationkey and decryptionkey, validation and decryption should vary based on your server and protocol.

验证密钥和解密密钥、验证和解密应该根据您的服务器和协议而有所不同。

0  

Do you actually NEED the key? Or just to encrypt and decrypt the data?

你真的需要钥匙吗?或者只是对数据进行加密和解密?

System.Web.Security.FormsAuthentication (.NET 2.0) has public Encrypt/Decrypt methods. These use System.Web.Configuration.MachineKeySection EncryptOrDecryptData, ByteArrayToHexString and HexStringToByteArray to encrypt and decrypt the data.

System.Web.Security。FormsAuthentication(。有公共加密/解密方法。这些用System.Web.Configuration。MachineKeySection加密tordecryptdata, ByteArrayToHexString和HexStringToByteArray对数据进行加密和解密。

EncryptOrDecryptData handles loading / configuring the key data from config files/AutoGenerate as required.

EncryptOrDecryptData根据需要处理从配置文件/自动生成的密钥数据的加载/配置。

Encrypt And Decrypt should be available via the source code downloads or reflector and readily converted to your purpose.

加密和解密应该可以通过源代码下载或反射器获得，并容易地转换为您的目的。

0  

I had the same issue and needed to get the machinekey from a running web application (not using .NET 4.5 crypto features) that I could not make a code change to, so I created a simple .aspx file that extracts the key and dumps it to a file and then placed it in the application root and accessed it using a browser (without needing to touch the running application)

我有同样的问题,需要得到machinekey从正在运行的web应用程序(不使用。net 4.5加密特性),我不能做一个代码更改,所以我创建了一个简单的。aspx文件,提取关键和转储到一个文件中,然后把它在应用程序中根和使用浏览器访问它(无需接触到正在运行的应用程序)

<%@ Page Language="C#"
var runTimeType = typeof(System.Web.HttpRuntime);
var autogenKeysField = runTimeType.GetField("s_autogenKeys", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var autogenKeys = (byte[])autogenKeysField.GetValue(null);
var machineKeySection = new System.Web.Configuration.MachineKeySection();

var autogenKeyProperty = typeof(System.Web.Configuration.MachineKeySection).GetProperty("AutogenKey", System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);
var decryptionKeyField = typeof(System.Web.Configuration.MachineKeySection).GetField("_DecryptionKey", System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);
var validationKeyField = typeof(System.Web.Configuration.MachineKeySection).GetField("_ValidationKey", System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);

// This needs to be done to make machineKeySection refresh it's data
var touch = (bool)autogenKeyProperty.GetValue(machineKeySection);
var decryptionKey = (byte[])decryptionKeyField.GetValue(machineKeySection);
var validationKey = (byte[])validationKeyField.GetValue(machineKeySection);

var autogenKeyString = BitConverter.ToString(autogenKeys).Replace("-", string.Empty);
var encryptionKeyString = BitConverter.ToString(decryptionKey).Replace("-", string.Empty);
var validationKeyString = BitConverter.ToString(validationKey).Replace("-", string.Empty);

using (var writer = new System.IO.StreamWriter("c:/somewhere/withwriteaccess/MachineKey.config")) {
    writer.Write(string.Format("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<machineKey decryptionKey=\"{0}\" validationKey=\"{1}\" />", encryptionKeyString, validationKeyString));
}
%>