Can the ASP.NET ScriptManager be made to work with the Windows FIPS security policy?
If you enable the "Use FIPS compliant algorithms for encryption, hashing, and signing" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework will result in an InvalidOperationException. By default, ASP.NET uses AES to encrypt the ViewState blob, so it fails. You can work around this by adding a key like this to web.config:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
And that covers you for basic ASP.NET use. My problem is this: I have a large, complex ASP.NET web applications that makes heavy use of ScriptManagers (the foundation of ASP.NET AJAX) and needs to be deployed by a government customer who must enable this FIPS policy setting. Any ASP.NET page with a ScriptManager on it throws this exception:
[Invalid开发者_如何学编程OperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA1Managed..ctor() +3607454
System.Security.Policy.Hash.get_SHA1() +45
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
System.Web.UI.ScriptManager.RegisterScripts() +407
System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
Even adding the <enforceFIPSPolicy enabled="false"/>
element to web.config does not resolve the exception.
Is there any way to configure ASP.NET such that ScriptManager can be used with the Windows FIPS security policy?
Update from Microsoft: The hot fix is available at http://code.msdn.microsoft.com/KB981119
The answer is that you can't use ScriptManager with a FIPS enabled server. :(
The static method GetAssemblyInfo of class System.Web.Handlers.ScriptResourceHandler creates a hash object that is not FIPS compliant. This was changed between .Net 3.5 SP1 and .Net 3.51
(System.Web.Extensions version 3.5.30729.196)
XP/2003/2008 .Net 3.5 SP1
private static Pair<AssemblyName, DateTime> GetAssemblyInfoInternal(Assembly assembly)
{
return new Pair<AssemblyName, DateTime>(new AssemblyName(assembly.FullName), GetLastWriteTime(assembly));
}
(System.Web.Extensions version 3.5.30729.4926)
Win7/2008R2 .Net 3.51
private static Pair<AssemblyName, string> GetAssemblyInfoInternal(Assembly assembly)
{
AssemblyName first = new AssemblyName(assembly.FullName);
return new Pair<AssemblyName, string>(first, Convert.ToBase64String(new Hash(assembly).SHA1));
}
Obviously the change from the time date stamp to the hash broke the FIPS compliance. We have opened a support case with Microsoft.
Microsoft has released a hotfix to address this problem: KB981119. I don't think the hotfix is publicly available through the Microsoft Web site.
精彩评论