This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
The problem is that an underlying use of hashlib.md5() that is ultimately consumed by
azure.ai.ml.MLClient is not FIPS compliant and ultimately returns the following error on importing MLClient.
Traceback (most recent call last):
...
File "/runtime/llm_proxy/clients/azure.py", line 7, in <module>
from azure.ai.ml import MLClient
File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/__init__.py", line 11, in <module>
from azure.ai.ml.entities._inputs_outputs import Input, Output
File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/__init__.py", line 18, in <module>
from ._assets._artifacts._package.base_environment_source import BaseEnvironment
File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/_assets/__init__.py", line 9, in <module>
from ._artifacts.code import Code
File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/_assets/_artifacts/code.py", line 12, in <module>
from azure.ai.ml._utils._asset_utils import IgnoreFile, get_content_hash, get_content_hash_version, get_ignore_file
File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/_utils/_asset_utils.py", line 80, in <module>
hash_type = type(hashlib.md5()) # nosec
ValueError: [digital envelope routines] unsupported
The issue is that the md5 hash is being used for non-cryptographic purposes, but not indicated as such.
If it were, then it's usage within /azure/ai/ml/_utils/_asset_utils.py would work in FIPS mode.
Describe the solution you'd like
For 3.9+, update the use of the hashlib.md5() to indicate that it's not being used for security, with the following usage:
hashlib.md5(usedforsecurity=False)hashlib.md5(b"Initialize for october 2021 AML CLI version", usedforsecurity=False)
Describe alternatives you've considered
An alternative since the current usage of MD5, which seems for providing a checksum, is so use a different FIPS-compliant hash algorithm, like SHA256.
Is your feature request related to a problem? Please describe. Yes. I'm trying to move a project that consumes this API onto a FIPS compliant Python 3.9 image, i.e. https://images.chainguard.dev/directory/image/python-fips/overview, image tag
3.9
.The problem is that an underlying use of
hashlib.md5()
that is ultimately consumed byazure.ai.ml.MLClient
is not FIPS compliant and ultimately returns the following error on importingMLClient
.The issue is that the md5 hash is being used for non-cryptographic purposes, but not indicated as such. If it were, then it's usage within
/azure/ai/ml/_utils/_asset_utils.py
would work in FIPS mode.Describe the solution you'd like For 3.9+, update the use of the
hashlib.md5()
to indicate that it's not being used for security, with the following usage:hashlib.md5(usedforsecurity=False)
hashlib.md5(b"Initialize for october 2021 AML CLI version", usedforsecurity=False)
The above solution, i.e. the support for the
usedforsecurity
parameter, only works for 3.9+. Context for the above solution and a potential solution for 3.7-3.8 is here: https://til.simonwillison.net/python/md5-fips#user-content-python-md5-and-usedforsecurityfalseDescribe alternatives you've considered An alternative since the current usage of MD5, which seems for providing a checksum, is so use a different FIPS-compliant hash algorithm, like SHA256.
Additional context N/A