System.Security.Cryptography.CryptographicException: 'The payload was invalid. For more information go to http://aka.ms/dataprotectionwarning'

[palmej2]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

There is a bug in the usage of the Microsoft.AspNetCore.DataProtection.SystemWeb nuget package.

I have a basic ASP.NET MVC .NET 4.8 project created using the examples in the article with the DataProtectionDemo.cs and using the Microsoft.AspNetCore.DataProtection.SystemWeb nuget package. I did everything exactly how the article described. Setup as follows:

-I created a basic .NET Core Console application injecting the IDataProtectionProvider and setting up the AddDataProjection() exactly how it was done in the first example (but in core).

If I protect a value (any value) on the ASP.NET site and try and unprotect that value on the console application I get the "The payload was invalid.". Either there missing information in that product article critical to getting this working, or there is a bug in the process. I've double-checked everything the article mentions.

keys are generated correctly in the same file location for both applications
application name is exactly the same in both applications (my-app)

I have generated a github repo reproducing the error here https://github.com/palmej2/DNETFW-2-DNETCORE

NOTE: This is issue originated from dotnet/AspNetCore.Docs#24847 and was directed to make bug

Expected Behavior

Anything encrypted in .NET FW 4.8 should be able to be decrypted and read in .NET as long as the same security keys are used in both applications.

Steps To Reproduce

Get https://github.com/palmej2/DNETFW-2-DNETCORE

Instructions to recreate issues found:

1. The default folder is for the keys is C:\test\myapp-keys. If you want to change it update the code in consoleapp1/program.cs & WebApplication1/DataProtectionDemo.cs.
2. Run the WebApplication project and copy the decrypted value that it produces.
3. Run the ConsoleApp1 project and paste that decrypted value into it.

Currently #3 is failing, and it shouldn't fail. It should decrypt the value correctly, which currently should be "TEST VALUE".

Exceptions (if any)

System.Security.Cryptography.CryptographicException: 'The payload was invalid. For more information go to http://aka.ms/dataprotectionwarning'

.NET Version

4.8/6.0

Anything else?

No response

[blowdart]

So, to mirror what I said in docs, the package was primarily meant for auth cookies, as a stop gap to help people migrate. This just reminds me to draw a line under it and mark it as unsupported and deprecated.

What's the real-world scenario you're trying to solve here?

[palmej2]

I work in the financial industry, and lot of things in a sessions need to be encrypted - some data at rest as well. So we've used it a lot of just general encryption/decryption and data protection of the application. It's maybe not the best solution for the problem but it's been used now for almost 8 years and it works. The project currently is built in .NET FW 4.8. Recently I've been trying to figure out a pathway to migrate (slowly and safely) to .NET Core. Because the size of this project and how many teams I have working on it, the only realistic way to upgrade would be to build out a .NET Core project in parallel and move one API at a time. However, by doing that I need encryption to work the same in both applications. Do we use cookies? Yeah. But we just keep a SessionID in the cookie that corresponds to the session data on the server-side. Do we use view state? Not that I'm aware of. Eventually I'm going to convert all the data at rest that needs encryption into Key Vault. However, I'd still use DataProjection because there still is transient data during a session that, at times, needs to be encrypted - not a lot, but some. So this nuget package got me excited because it looked like a promising way for me to have the same Data Protection for both my apps (4.8, Core) while running them at the same time - but it doesn't work currently.

[adityamandaleeka]

Related: #40083

We'll probably see similar cases as we work on the migration epic in 7.

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[ljohnson91]

Dealing with this issue as well. This issue is a huge blocking problem and I find it very frustrating that it does not work.

[iso8859]

I just got this problem because I changed Kestrel initialisation to be able to use it from Windows service.

.NET 6 project. I moved from

CreateHostBuilder(args).Build().Run();

...

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Microsoft.Extensions.Hosting.Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
            webBuilder.UseIISIntegration();
        });        

to

...
    // In RunTask service start method
    await _webApp.StartAsync(m_exit.Token);
...

public static void Main(string[] args)
{
    // Topshelf service
    var rc = HostFactory.Run(x =>
    {
        x.Service<RunTask>(hostSettings => new RunTask(CreateWebApp(args)));
        x.SetDescription("xxx");
        x.SetDisplayName("xxx");
        x.SetServiceName("xxx");
    });
}

public static WebApplication CreateWebApp(string[] args)
{
    WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
    builder.Host.ConfigureDefaults(args);
    builder.WebHost.UseIISIntegration();
    Startup s = new Startup(builder.Configuration, builder.Environment);
    s.ConfigureServices(builder.Services);
    var app = builder.Build();
    s.Configure(app, app.Environment);
    return app;
}

For my case the workaround was easy because I don't need to keep my protected storage.

ProtectedBrowserStorageResult<string> result = default;
try
{
     result = await m_protectedLocalStore.GetAsync<string>("sr");
}
catch(CryptographicException)
{
    await m_protectedLocalStore.DeleteAsync("sr");
}
if (result.Success)
{
    sessionRequest = result.Value;
}

The question is why protected storage is sensitive to my Kestrel init ?

[shahedbd]

using Microsoft.AspNetCore.DataProtection;


services.AddDataProtection()
            .SetApplicationName("ProjectName")
            .AddKeyManagementOptions(options =>
            {
                options.NewKeyLifetime = new TimeSpan(180, 0, 0, 0);
                options.AutoGenerateKeys = true;
            });

[adityamandaleeka]

@wtgodbe Reassigning this to you to follow up.