Comments (14)
This is great feedback, thank you.
I wonder if SHA256.Create()
would be a sufficient change. It seems like it should ideally create either Sha256Cng or Sha256Managed as supported and appropriate. Do you know if that would work?
from dotnetopenauth.
@joeudwin
SHA256.Create()
depends on configuration provided to application, see http://msdn.microsoft.com/en-us/library/693aff9y.aspx
from dotnetopenauth.
So couldn't a web.config file contain the necessary settings to make the library FIPS-compliant if the library called the SHA256.Create() method?
from dotnetopenauth.
@AArnott
I think it could
from dotnetopenauth.
Good spot @hazzik.
There is good and bad news...
I can get SHA512.Create() to work by modifying the machine.config
However annoyingly it seems HMACSHA1 is the only FIPS compliant implementation built into .Net out of the ones you are using:
HMACSHA512,HMACSHA384,HMACSHA256 and HMACSHA1.
I will search for another source for these algorithms and report back.
from dotnetopenauth.
After doing some research i have found that the CLR Security team have created FIPS compliant versions of the other HMAC algorithms in the clrsecurity codeplex project (see blog)
After adding the Security.Cryptography.dll to the bin folder and adding the following section to the machine config
<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass TestSHA512="System.Security.Cryptography.SHA512Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<cryptoClass TestHMACSHA512="Security.Cryptography.HMACSHA512Cng, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</cryptoClasses>
<nameEntry name="System.Security.Cryptography.SHA512" class="TestSHA512"/>
<nameEntry name="HMACSHA512" class="TestHMACSHA512"/>
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>
I can get of the following lines to work without error:
var a = SHA512.Create();
var b = HMAC.Create("HMACSHA512");
So i think the code changes needed to make dotNetOpenAuth work with the FIPS policy enforced is as simple as replacing the use of
new SHA512Managed() with SHA512.Create();
and
new HMACSHA512() with HMAC.Create("HMACSHA512");
from dotnetopenauth.
Stellar. Thanks. We should be able to get this into the next release.
from dotnetopenauth.
That is great news! When is the next release scheduled for?
Will you update this issue when it is resolved?
from dotnetopenauth.
There isn't a schedule for it right now. Hopefully in the next month. And yes, this issue will be updated when that happens.
from dotnetopenauth.
Hi @AArnott, any update on when this may be fixed/ released?
Thanks!
from dotnetopenauth.
Hi @AArnott, I would also be interested in this fix any idea when it might be ready? Thanks.
from dotnetopenauth.
We're looking at a release by the end of this month. I hope this issue can be fixed there.
from dotnetopenauth.
This has been fixed in 72f107fd. Slated for release in the coming week.
from dotnetopenauth.
HMACSHA algorithms still need to be converted.
from dotnetopenauth.
Related Issues (20)
- No source/symbols for the latest stable version
- Pass additional field parameters in oAuth request header
- <reporting enabled="true"/> leaves other IIS applications unable to use IsolatedStorage HOT 1
- Using StandardAccessTokenAnalyzer with the symmetric ICryptoKeyStore in stable 4.3.4 NuGet package
- Missing Credit HOT 2
- DotNetOpenAuth locally work but publish on server not work HOT 2
- Facebook messaged me that the graph api 2.0 version this library uses will not be supported come August 2016 HOT 4
- Really not an issue
- New error: The OpenID Provider issued an assertion for an Identifier whose discovery information did not match.
- OpenIdWebRingSsoRelyingParty canot CreateRequest
- THIS REPOSITORY IS DEAD ! HOT 6
- How to use code to set whitelistHosts?
- Audience parameter
- FacebookApplication.VerifyAuthentication return null on Facebook HOT 7
- The invalid URI: URI string is too long HOT 1
- SSO doesn't for web accelerator between SSO sites
- Web request to failed. Remote party has closed the transport stream.
- Facebook strict OAuth redirection URIs HOT 1
- Access tokens are too long HOT 3
- do refresh_token has a lifetime?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dotnetopenauth.