DotNetOpenAuth not FIPS compliant about dotnetopenauth HOT 14 CLOSED

This is great feedback, thank you.

I wonder if SHA256.Create() would be a sufficient change. It seems like it should ideally create either Sha256Cng or Sha256Managed as supported and appropriate. Do you know if that would work?

from dotnetopenauth.

@joeudwin
SHA256.Create() depends on configuration provided to application, see http://msdn.microsoft.com/en-us/library/693aff9y.aspx

from dotnetopenauth.

So couldn't a web.config file contain the necessary settings to make the library FIPS-compliant if the library called the SHA256.Create() method?

from dotnetopenauth.

@AArnott
I think it could

from dotnetopenauth.

Good spot @hazzik.
There is good and bad news...

I can get SHA512.Create() to work by modifying the machine.config

However annoyingly it seems HMACSHA1 is the only FIPS compliant implementation built into .Net out of the ones you are using:
HMACSHA512,HMACSHA384,HMACSHA256 and HMACSHA1.
I will search for another source for these algorithms and report back.

from dotnetopenauth.

After doing some research i have found that the CLR Security team have created FIPS compliant versions of the other HMAC algorithms in the clrsecurity codeplex project (see blog)
After adding the Security.Cryptography.dll to the bin folder and adding the following section to the machine config

<mscorlib>
<cryptographySettings>
<cryptoNameMapping>
<cryptoClasses>
<cryptoClass TestSHA512="System.Security.Cryptography.SHA512Cng, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<cryptoClass TestHMACSHA512="Security.Cryptography.HMACSHA512Cng, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</cryptoClasses>
<nameEntry name="System.Security.Cryptography.SHA512" class="TestSHA512"/>
<nameEntry name="HMACSHA512" class="TestHMACSHA512"/>
</cryptoNameMapping>
</cryptographySettings>
</mscorlib>

I can get of the following lines to work without error:

var a = SHA512.Create();
var b = HMAC.Create("HMACSHA512");

So i think the code changes needed to make dotNetOpenAuth work with the FIPS policy enforced is as simple as replacing the use of
new SHA512Managed() with SHA512.Create();
and
new HMACSHA512() with HMAC.Create("HMACSHA512");

from dotnetopenauth.

Stellar. Thanks. We should be able to get this into the next release.

from dotnetopenauth.

That is great news! When is the next release scheduled for?
Will you update this issue when it is resolved?

from dotnetopenauth.

There isn't a schedule for it right now. Hopefully in the next month. And yes, this issue will be updated when that happens.

from dotnetopenauth.

Hi @AArnott, any update on when this may be fixed/ released?
Thanks!

from dotnetopenauth.

Hi @AArnott, I would also be interested in this fix any idea when it might be ready? Thanks.

from dotnetopenauth.

We're looking at a release by the end of this month. I hope this issue can be fixed there.

from dotnetopenauth.

This has been fixed in 72f107fd. Slated for release in the coming week.

from dotnetopenauth.

HMACSHA algorithms still need to be converted.

from dotnetopenauth.