Add the ability to delay the receipt of a certificate in the extension method DataProtectionBuilderExtensions.ProtectKeysWithCertificate

[shazhko-artem2]

Problem

In my current project, we have several certificate providers, so we use the certificate factory. Also, we use data protection and protect keys with a certificate. The problem is that DataProtectionBuilderExtensions.ProtectKeysWithCertificate requires a certificate directly, for which we need a certificate factory, but for getting a factory, we need an IServiceProvider.

Solution

We need to add a method overload with the following parameters.

public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, Func<IServiceProvider, X509Certificate2 > factory){...}

Similar existing solutions

A similar solution already exists for AddKeyEscrowSink, but not for ProtectKeysWithCertificate.

public static IDataProtectionBuilder AddKeyEscrowSink(this IDataProtectionBuilder builder, Func<IServiceProvider, IKeyEscrowSink> factory){...}

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[Shazhko-Artem]

Hi guys. I investigated the codebase and understood that this requires slightly more changes than expected to implement this feature. The main problem that we need to pass this certificate for two options (KeyManagementOptions and XmlKeyDecryptionOptions) but we should invoke the certificate factory only once to be sure that these two options will have the same certificate.

I have an idea of how to implement this with as few changes as possible. We can create a class that will be the container for the value. This class will have a method to get the value, which takes a factory as a parameter. If the value is not yet in the container, then the factory will be called and the resulting value will be stored in the container. The next time this method is called, the value will be taken from the container.

Examples of such a solution.

1. Class Lazy<> - allows you to pass a delegate (value factory) to the constructor which will be called once and store the value inside the class. In our situation, we cannot use this class, since the delegate needs to be passed to the constructor, but we cannot do this, since, at the time of creating an instance of the Lazy class, we still do not have a service provider.
2. ConcurrentDictionary<> - it has a GetOrAdd method, the first parameter is a key, and the second is a value factory. This is not suitable for our situation because we do not have a collection, we have a single certificate.

Example of implementation

ValueBox is a container for a value.

internal class ValueBox<TValue>
{
    private readonly object _lock = new object();
    private volatile bool _hasValue = false;
    private TValue _value;

    public TValue GetOrSet(Func<TValue> factory)
    {
        lock (_lock)
        {
            if (_hasValue)
            {
                return _value;
            }

            _value = factory();
            _hasValue = true;
        }

        return _value;
    }
}

A new extension method with the ability to delay the receipt of a certificate

public static IDataProtectionBuilder ProtectKeysWithCertificate(
    this IDataProtectionBuilder builder,
    Func<IServiceProvider, X509Certificate2> provider)
{
    if (builder == null)
    {
        throw new ArgumentNullException(nameof(builder));
    }

    if (provider == null)
    {
        throw new ArgumentNullException(nameof(provider));
    }

    var certificateBox = new ValueBox<X509Certificate2>();
    builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
    {
        var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
        return new ConfigureOptions<KeyManagementOptions>(options =>
        {
            var certificate = certificateBox.GetOrSet(() => provider(services));
            options.XmlEncryptor = new CertificateXmlEncryptor(certificate, loggerFactory);
        });
    });
    builder.Services.AddSingleton<IConfigureOptions<XmlKeyDecryptionOptions>>(services =>
    {
        return new ConfigureOptions<XmlKeyDecryptionOptions>(options =>
        {
            var certificate = certificateBox.GetOrSet(() => provider(services));
            options.AddKeyDecryptionCertificate(certificate);
        });
    });
    return builder;
}

[Shazhko-Artem]

Hi @HaoK, could you check my suggestion, please?

[Shazhko-Artem]

@blowdart, @javiercn, @mkArtakMSFT, sorry to bother you, could you please check my suggestion above please? Or mention someone who can do it.