Description
Background and Motivation
Currently, when setting up Data Protection, there is inconsistency with how configuration is handled. In our project we use IConfigureOptions<KeyManagementOptions> approach where we can load an encryption certificate after app services are loaded, by setting options.XmlEncryptor to CertificateXmlEncryptor instance.
But we can't do the same for XmlKeyDecryptionOptions because that class is internal and sealed. So the only possible way to configure Data Protection with X509 cert encryption is to use IDataProtectionBuilder.ProtectKeysWithCertificate extension method. Which defeats purpose of IConfigureOptions pattern.
Proposed API
public class XmlKeyDecryptionOptions
Usage Examples
public class XmlKeyDecryptionOptionsConfigurator(ICertificatesStore store) : IConfigureOptions<XmlKeyDecryptionOptions>
{
public void Configure(XmlKeyDecryptionOptions options)
{
var cert = store.GetDataProtectionCertificate();
options.AddKeyDecryptionCertificate(cert);
}
}
Alternative Designs
Alternativelly there should be .XmlDecryptor property on KeyManagementOptions, analogous to to .XmlEncryptor one, by which we can set IXmlDecryptor instance to be used when decrypting Data Protection Keys.
Risks
None.