Closed mispeer closed 1 year ago
darrelmiller
commented
3 years ago Here's a hash using SHA256 https://github.com/microsoft/kiota/blob/main/src/kiota.core/OpenApiUriSpaceNode.cs#L61 However, we should reinvestigate why exactly we need the hash.
millicentachieng
commented
1 year ago After a review of our codebase, we exclusively use the System.Security.Cryptography library and the SHA-256 algorithm, which adhere to FIPS compliance requirements.
If you have any evidence or concerns indicating non-compliance or using a different hashing algorithm, please feel free to reopen this issue, and we will promptly address it.
Short summary (3-5 sentences) describing the issue. Converter uses MD5 hash, which is not FIPS compliant. Full functionality failure in any environment with FIPS compliance enabled.
Assemblies affected
Reader. Which assemblies and versions are known to be affected? All.
Steps to reproduce
Enable FIPS compliance on the environment where the converter is executing. The simplest set of steps to reproduce the issue. If possible, reference a commit that demonstrates the issue.
Expected result
Converter does not crash What would happen if there wasn't a bug.
Actual result
Converter crashes with FIPS compliance runtime error. What is actually happening.
Additional detail
Oracle listing FIPS non-compliant algorithms:https://docs.oracle.com/cd/E36784_01/html/E54953/fips-notok-1.html NIST draft of 2019 FIPS compliant algorithms: https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf *Optional, details of the root cause if known.