开发者

Can the ASP.NET ScriptManager be made to work with the Windows FIPS security policy?

开发者 https://www.devze.com 2022-12-20 12:01 出处:网络
If you enable the \"Use FIPS compliant algorithms for encryption, hashing, and signing\" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework wi

If you enable the "Use FIPS compliant algorithms for encryption, hashing, and signing" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework will result in an InvalidOperationException. By default, ASP.NET uses AES to encrypt the ViewState blob, so it fails. You can work around this by adding a key like this to web.config:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

And that covers you for basic ASP.NET use. My problem is this: I have a large, complex ASP.NET web applications that makes heavy use of ScriptManagers (the foundation of ASP.NET AJAX) and needs to be deployed by a government customer who must enable this FIPS policy setting. Any ASP.NET page with a ScriptManager on it throws this exception:

[Invalid开发者_如何学编程OperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
   System.Security.Cryptography.SHA1Managed..ctor() +3607454
   System.Security.Policy.Hash.get_SHA1() +45
   System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
   System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
   System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
   System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
   System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
   System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
   System.Web.UI.ScriptManager.RegisterScripts() +407
   System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
   System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672

Even adding the <enforceFIPSPolicy enabled="false"/> element to web.config does not resolve the exception.

Is there any way to configure ASP.NET such that ScriptManager can be used with the Windows FIPS security policy?


Update from Microsoft: The hot fix is available at http://code.msdn.microsoft.com/KB981119

The answer is that you can't use ScriptManager with a FIPS enabled server. :(

The static method GetAssemblyInfo of class System.Web.Handlers.ScriptResourceHandler creates a hash object that is not FIPS compliant. This was changed between .Net 3.5 SP1 and .Net 3.51

(System.Web.Extensions version 3.5.30729.196)
XP/2003/2008 .Net 3.5 SP1

private static Pair<AssemblyName, DateTime> GetAssemblyInfoInternal(Assembly assembly)
{
    return new Pair<AssemblyName, DateTime>(new AssemblyName(assembly.FullName), GetLastWriteTime(assembly));
}

(System.Web.Extensions version 3.5.30729.4926)
Win7/2008R2 .Net 3.51

private static Pair<AssemblyName, string> GetAssemblyInfoInternal(Assembly assembly)
{
    AssemblyName first = new AssemblyName(assembly.FullName);
    return new Pair<AssemblyName, string>(first, Convert.ToBase64String(new Hash(assembly).SHA1));
}

Obviously the change from the time date stamp to the hash broke the FIPS compliance. We have opened a support case with Microsoft.


Microsoft has released a hotfix to address this problem: KB981119. I don't think the hotfix is publicly available through the Microsoft Web site.

0

精彩评论

暂无评论...
验证码 换一张
取 消