search

markdomansky / WebJEA

WebJEA - Secure Self Service Web Forms from PowerShell Scripts
GNU General Public License v3.0
237 stars 28 forks source link

FIPS compliant cryptography #69

Open cmleigh opened 3 years ago

cmleigh commented 3 years ago

I deployed WebJea only changing site specific info (node,cert). Everything completed with no errors at that point. Opened up browser to https://fqdn/webjea and received: "There was an error."

*note - I had to sanitize hostname and account names

FIPS does not support SHA256Managed. Can you support FIPS compliant cryptography other than System.Security.Cryptography.SHA256Managed..ctor() ? Or is there a workaround other than disabling FIPS?

The logs from the web event:

`Event code: 3005 Event message: An unhandled exception has occurred. Event time: 9/28/2021 11:57:39 AM Event time (UTC): 9/28/2021 3:57:39 PM Event ID: a5d420a67a8f4db2aebd9b624d4dbea9 Event sequence: 8 Event occurrence: 1 Event detail code: 0

Application information: Application domain: /LM/W3SVC/1/ROOT/WebJEA-1-132773182583222319 Trust level: Full Application Virtual Path: /WebJEA Application Path: S:\inetpub\wwwroot\webjea\ Machine name: hostname

Process information: Process ID: 4244 Process name: w3wp.exe Account name: service account

Exception information: Exception type: InvalidOperationException Exception message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA256Managed..ctor() at WebJEA.Helpers.StringHash256(String strin) in C:\prj\WebJEA\WebJEA\Helpers.vb:line 42 at WebJEA._default.Page_Load(Object sender, EventArgs e) in C:\prj\WebJEA\WebJEA\default.aspx.vb:line 19 at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Request information: Request URL: https://fqdn:443/webjea/default.aspx Request path: /webjea/default.aspx User host address: xxxxxxxxx User: user Is authenticated: True Authentication Type: Negotiate Thread account name: service account

Thread information: Thread ID: 12 Thread account name: service account Is impersonating: False Stack trace: at System.Security.Cryptography.SHA256Managed..ctor() at WebJEA.Helpers.StringHash256(String strin) in C:\prj\WebJEA\WebJEA\Helpers.vb:line 42 at WebJEA._default.Page_Load(Object sender, EventArgs e) in C:\prj\WebJEA\WebJEA\default.aspx.vb:line 19 at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)`

markdomansky commented 3 years ago

This is an interesting question. I've not worked with FIPS. A brief search indicates that .NET should automatically manage SHA256 FIPS compliance but maybe I've not called it in a way .NET handles it correctly. Give me some time to look into this.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

cmleigh commented 2 years ago

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha256managed.-ctor?view=net-6.0 SHA256Managed Constructor InvalidOperationException The Federal Information Processing Standards (FIPS) security setting is enabled. This implementation is not part of the Windows Platform FIPS-validated cryptographic algorithms.

What about SHA256Create()?