[BUG] DataProtection unable to unprotect with older keys after upgrading Azure.Extensions.AspNetCore.DataProtection.Keys #37043
Description
Library name and version
Azure.Extensions.AspNetCore.DataProtection.Keys
Describe the bug
This is the exact same problem as descibed in #14761, which seem to have been fixed, but we recently upgraded from 1.1.0 to 1.2.2 and got the following error:
Could not load file or assembly 'Azure.Extensions.AspNetCore.DataProtection.Keys, Version=1.1.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
With the following stack trace:
at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type) at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName) at System.RuntimeType.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark) at System.Type.GetType(String typeName, Boolean throwOnError) at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.CreateDecryptor(IActivator activator, String decryptorTypeName) at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator) at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement) at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>g__GetLazyDescriptorDelegate|0() at System.Lazy\`1.CreateValue() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Lazy`1.get_Value() at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor() at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor() at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean& isRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.GetAuthenticatedEncryptorByKeyId(Guid keyId, Boolean& isRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) I tried manually patching the decryptorType XML element like this:
-decryptorType="Azure.Extensions.AspNetCore.DataProtection.Keys.AzureKeyVaultXmlDecryptor, Azure.Extensions.AspNetCore.DataProtection.Keys, Version=1.1.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8" +decryptorType="Azure.Extensions.AspNetCore.DataProtection.Keys.AzureKeyVaultXmlDecryptor, Azure.Extensions.AspNetCore.DataProtection.Keys, Version=1.2.2.0, Culture=neutral, PublicKeyToken=92742159e12e44c8"As suggested in #14761, which made the code work again.
Expected behavior
I'm able to update Azure.Extensions.AspNetCore.DataProtection.Keys to a newer version, without breaking my application.
Actual behavior
By updating Azure.Extensions.AspNetCore.DataProtection.Keys to a newer version, I'm unable to unprotect secrets encrypted with an earlier key.
Reproduction Steps
- Protect something with a key encrypted with Azure.Extensions.AspNetCore.DataProtection.Keys v1.1.0
- Upgrade to Azure.Extensions.AspNetCore.DataProtection.Keys v1.2.2
- Unprotect secret stored with key from Azure.Extensions.AspNetCore.DataProtection.Keys v1.1.0
Environment
Azure AppService on .NET Framework 4.8