Fatal编程技术网
  • aws-lambda/
  • Aws lambda 如何在AWS无服务器Lambda环境中替换AddDeveloperSigningCredential?

Aws lambda 如何在AWS无服务器Lambda环境中替换AddDeveloperSigningCredential?

aws-lambda identityserver4

Aws lambda 如何在AWS无服务器Lambda环境中替换AddDeveloperSigningCredential?,aws-lambda,identityserver4,Aws Lambda,Identityserver4,我们将Identity Server4与EntityFrameworkCore一起使用,并使用aws工具包(“”)将.NET Core应用程序部署为lambda函数。那么,我们如何在aws无服务器lambda环境中替换AddDeveloperSigningCredential呢 以下是我们的ConfigurationServerices方法: public void ConfigureServices(IServiceCollection services) { serv

我们将Identity Server4与EntityFrameworkCore一起使用,并使用aws工具包(“”)将.NET Core应用程序部署为lambda函数。那么,我们如何在aws无服务器lambda环境中替换AddDeveloperSigningCredential呢

以下是我们的ConfigurationServerices方法:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddSingleton<IConfiguration>(Configuration);

        string connectionString = Configuration.GetConnectionString("IdentityServer");

        var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            // this adds the config data from DB (clients, resources)
            .AddConfigurationStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
                sql => sql.MigrationsAssembly(migrationsAssembly));
            }) // this adds the operational data from DB (codes, tokens, consents)
            .AddOperationalStore(options =>
            {
                options.ConfigureDbContext = builder =>
                builder.UseSqlServer(connectionString,
            sql => sql.MigrationsAssembly(migrationsAssembly));

                // this enables automatic token cleanup. this is optional.
                // options.EnableTokenCleanup = true;
                // options.TokenCleanupInterval = 30;
            });

        // Add S3 to the ASP.NET Core dependency injection framework.
        services.AddAWSService<Amazon.S3.IAmazonS3>();
    }

public void配置服务(IServiceCollection服务)
{
services.AddSingleton(配置);
string connectionString=Configuration.GetConnectionString(“IdentityServer”);
var migrationassembly=typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddIdentityServer()
.AddDeveloperSigningCredential()
//这将添加来自DB(客户端、资源)的配置数据
.AddConfigurationStore(选项=>
{
options.ConfigureDbContext=builder=>
builder.UseSqlServer(connectionString,
sql=>sql.migrationassembly(migrationassembly));
})//这将添加来自DB的操作数据(代码、令牌、同意)
.addStore(选项=>
{
options.ConfigureDbContext=builder=>
builder.UseSqlServer(connectionString,
sql=>sql.migrationassembly(migrationassembly));
//这将启用自动令牌清理。这是可选的。
//options.EnableTokenCleanup=true;
//options.TokenCleanupInterval=30;
});
//将S3添加到ASP.NET核心依赖项注入框架。
services.AddAWSService();
}
这是从证书存储加载证书的一些示例代码。如果这对您不可用,那么您只需要序列化和持久化证书,您需要其他方法,但这最终会生成一个有效的X509Certificate2实例,您可以将其传递到X509SecurityKey

private static void ConfigureSigningCerts(IServiceCollection services)
{
    var keys = new List<SecurityKey>();

    var name = "MyCertName";

    //The one that expires last at the top
    var certs = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=" + name, false)
        .Where(o => DateTime.UtcNow >= o.NotBefore)
        .OrderByDescending(o => o.NotAfter);

    if (!certs.Any()) throw new Exception("No valid certificates could be found.");

    //Get first (in desc order of expiry) th
    var signingCert = certs.FirstOrDefault();

    if (signingCert == null) throw new InvalidOperationException("No valid signing certificate could be found.");

    var signingCredential = new SigningCredentials(new X509SecurityKey(signingCert), "RS256");
    services.AddSingleton<ISigningCredentialStore>(new DefaultSigningCredentialsStore(signingCredential));

    foreach (var cert in certs)
    {
        var validationCredential = new SigningCredentials(new X509SecurityKey(cert), "RS256");
        keys.Add(validationCredential.Key);
    }

    services.AddSingleton<IValidationKeysStore>(new DefaultValidationKeysStore(keys));
}

私有静态无效配置签名证书(IServiceCollection服务)
{
var keys=新列表();
var name=“MyCertName”;
//最后一个在顶部过期的
var certs=X509.LocalMachine.My.subjectDifferentizedName.Find(“CN=“+name,false”)
.Where(o=>DateTime.UtcNow>=o.NotBefore)
.OrderByDescending(o=>o.NotAfter);
如果(!certs.Any())抛出新异常(“找不到有效的证书”);
//获取第一个(按到期说明顺序)th
var signingCert=certs.FirstOrDefault();
if(signingCert==null)抛出新的InvalidOperationException(“找不到有效的签名证书”);
var signingCredential=新的SigningCredentials(新X509SecurityKey(signingCert),“RS256”);
services.AddSingleton(新的DefaultSigningCredentialsStore(SigningCredentials));
foreach(证书中的var证书)
{
var validationCredential=新的签名凭证(新的X509SecurityKey(证书),“RS256”);
添加(validationCredential.Key);
}
AddSingleton(新的DefaultValidationKeyStore(keys));
}
X509Certificate2的构造函数可以采用原始字节[]或文件路径,因此在打包和分发签名/验证证书时,您有很多选择

要在windows上创建自签名证书,可以使用以下命令:

makecert-r-pe-n“CN=MyCertName”-b 01/01/2015-e 01/01/2039-eku 1.3.6.1.5.5.7.3.3-sky签名-a sha256-len 2048 mycert.cer

在名为
mycert.cer
的文件中创建名为
MyCertName
的证书

此处工具的完整文档:

这是从证书存储加载证书的一些示例代码。如果这对您不可用,那么您只需要序列化和持久化证书,您需要其他方法,但这最终会生成一个有效的X509Certificate2实例,您可以将其传递到X509SecurityKey

private static void ConfigureSigningCerts(IServiceCollection services)
{
    var keys = new List<SecurityKey>();

    var name = "MyCertName";

    //The one that expires last at the top
    var certs = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=" + name, false)
        .Where(o => DateTime.UtcNow >= o.NotBefore)
        .OrderByDescending(o => o.NotAfter);

    if (!certs.Any()) throw new Exception("No valid certificates could be found.");

    //Get first (in desc order of expiry) th
    var signingCert = certs.FirstOrDefault();

    if (signingCert == null) throw new InvalidOperationException("No valid signing certificate could be found.");

    var signingCredential = new SigningCredentials(new X509SecurityKey(signingCert), "RS256");
    services.AddSingleton<ISigningCredentialStore>(new DefaultSigningCredentialsStore(signingCredential));

    foreach (var cert in certs)
    {
        var validationCredential = new SigningCredentials(new X509SecurityKey(cert), "RS256");
        keys.Add(validationCredential.Key);
    }

    services.AddSingleton<IValidationKeysStore>(new DefaultValidationKeysStore(keys));
}

私有静态无效配置签名证书(IServiceCollection服务)
{
var keys=新列表();
var name=“MyCertName”;
//最后一个在顶部过期的
var certs=X509.LocalMachine.My.subjectDifferentizedName.Find(“CN=“+name,false”)
.Where(o=>DateTime.UtcNow>=o.NotBefore)
.OrderByDescending(o=>o.NotAfter);
如果(!certs.Any())抛出新异常(“找不到有效的证书”);
//获取第一个(按到期说明顺序)th
var signingCert=certs.FirstOrDefault();
if(signingCert==null)抛出新的InvalidOperationException(“找不到有效的签名证书”);
var signingCredential=新的SigningCredentials(新X509SecurityKey(signingCert),“RS256”);
services.AddSingleton(新的DefaultSigningCredentialsStore(SigningCredentials));
foreach(证书中的var证书)
{
var validationCredential=新的签名凭证(新的X509SecurityKey(证书),“RS256”);
添加(validationCredential.Key);
}
AddSingleton(新的DefaultValidationKeyStore(keys));
}
X509Certificate2的构造函数可以采用原始字节[]或文件路径,因此在打包和分发签名/验证证书时,您有很多选择

要在windows上创建自签名证书,可以使用以下命令:

makecert-r-pe-n“CN=MyCertName”-b 01/01/2015-e 01/01/2039-eku 1.3.6.1.5.5.7.3.3-sky签名-a sha256-len 2048 mycert.cer

在名为
mycert.cer
的文件中创建名为
MyCertName
的证书

此工具的完整文档如下:

谢谢@mackie。如果我们在windows上创建自签名证书,部署lambda后,这些证书是否可以在aws环境中使用?我不熟悉aws lambda的细节,但前提是您可以以某种方式(作为文件或嵌入式资源)将证书与服务捆绑在一起那么我无法想象这是一个问题。我们可以使用从代码生成的证书而不是从