Windows Platform FIPS validated cryptographic algorithms.

Topics: Metadata Model, PE reader
Feb 20, 2015 at 11:50 AM

There is ComputePublicKeyToken method in Microsoft.Cci.UnitHelper that uses System.Security.Cryptography.SHA1Managed class.
Is it possible to change it to System.Security.Cryptography.HMACSHA1 or somethig else that is FIPS compliant.
The point is when I run it on a machine with "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" enabled, I got the following Exception:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA1Managed..ctor()
at Microsoft.Cci.UnitHelper.ComputePublicKeyToken(IEnumerable`1 publicKey)

Mar 4, 2015 at 8:12 AM
Hello again,

Sorry, my first assumption about System.Security.Cryptography.HMACSHA1 was wrong. It calculates wrong hash. But System.Security.Cryptography.SHA1Cng works quite well and is FIPS compliant.
It would be great if you can change SHA1Managed to SHA1Cng.

Mar 5, 2015 at 5:00 AM
Could you submit a patch for this?

Mar 6, 2015 at 12:19 PM
Patch was uploaded.

Mar 7, 2015 at 6:58 PM
Quick question: Will this change be compatible with Mono on a non Windows platform?
Mar 7, 2015 at 8:35 PM
@hermanv I'm sorry, we can not test it on a Mono, but classes SHA1 and SHA1CryptoServiceProvider exists in the Mono (documentation) and in old documentation these classes used in samples (I can not find samples for cryptography in a new documentation). Also, I found that Mono is not FIPS 140 certified.

Given the above, someone just need to run tests under mono under different OSes.