aspnetcore
aspnetcore copied to clipboard
dotnet
Unable to UnProtect payloads protected with a key which is still not expired
Is there an existing issue for this?
- [X] I have searched the existing issues
Describe the bug
We use Data Protection apis integrated with MSAL to store encrypted tokens on Cosmos Db. The keys used for encryption are also stored on Cosmos Db. The keys themselves are encrypted using some certificate.
We have set the key lifetime as 1 year. Every thing was going smooth but a month into this feature, we saw that new key was written to the key ring repository in Cosmos Db. The earlier key wasn't expired yet (10 months of lifetime still remains). I didn't understand why would this happen! To make matters worse, the payloads protected with earlier key failed to be decrypted despite the earlier key being present in the key ring resource. This would mean that the previous key would have been revoked. We don't call RevokeKey in our system anywhere. Is there some default construct by which keys get revoked?
The below link shows the current state of key ring repository in Cosmos Db. It should be noted that the first key is still not expired and yet a new key got added.
In which all cases does a key get revoked? Is revocation in any way dependent on Expiry time?
Expected Behavior
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
While there is a revocation api, it's not actually wired up to anything, it's meant for folks writing utilities, and revocation marks a key in a very particular.
We don't provide a CosmosDB provider, and I don't know how MSAL uses data protection. Keys expire naturally after their expiry date but they never get deleted specifically so you can continue to unprotect things using that key, expiry only means it's not used for encrypting new payloads.
So this is weird.
Can you show us your configuration / startup code as a starting point?
This is what I found odd as well. The key is not expired. It is not deleted as well, I have written the CosmosDb provider in a manner that new keys being used are appended to already present list of keys. The seemingly revoked key is present as well and I can see that the payload was protected with that key but unprotecting isn't working on it.
Here's the configuration snippets
This is how we register MSAL token caching services along with dataprotection ones in ConfidentialClientApplication objects
Here's how each of the extensions get added
Finally, here's the CosmosdbProvider registration in DataProtection services
@blowdart Any update on this? I'm experiencing the above issue in almost all instances using data protection layer in this form!
I think we're going to need a repro, including the code of your cosmos db provider before we can investigate
Hi @MandeepShahi. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.
See our Issue Management Policies for more information.