如果在Windows中启用“使用FIPS兼容算法进行加密,散列和签名”安全策略选项,则尝试使用.NET Framework中的许多加密类将导致InvalidOperationException。默认情况下,ASP.NET使用AES加密ViewState blob,因此失败。您可以通过向web.config添加这样的密钥来解决此问题:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
这涵盖了ASP.NET的基本用法。我的问题是:我有一个庞大,复杂的ASP.NET Web应用程序,它大量使用ScriptManagers(ASP.NET AJAX的基础),需要由必须启用此FIPS策略设置的政府客户部署。任何带有ScriptManager的ASP.NET页面都会抛出此异常:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA1Managed..ctor() +3607454
System.Security.Policy.Hash.get_SHA1() +45
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
System.Web.UI.ScriptManager.RegisterScripts() +407
System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
即使将<enforceFIPSPolicy enabled="false"/>元素添加到web.config也无法解决异常。
有没有办法配置ASP.NET,以便ScriptManager可以与Windows FIPS安全策略一起使用?
答案 0 :(得分:3)
从Microsoft更新:此修补程序位于http://code.msdn.microsoft.com/KB981119
答案是您不能将ScriptManager与启用FIPS的服务器一起使用。 :(
类System.Web.Handlers.ScriptResourceHandler的静态方法GetAssemblyInfo创建一个不符合FIPS标准的哈希对象。这在.Net 3.5 SP1和.Net 3.51之间发生了变化
(System.Web.Extensions版本3.5.30729.196)
XP / 2003/2008 .Net 3.5 SP1
private static Pair<AssemblyName, DateTime> GetAssemblyInfoInternal(Assembly assembly)
{
return new Pair<AssemblyName, DateTime>(new AssemblyName(assembly.FullName), GetLastWriteTime(assembly));
}
(System.Web.Extensions版本3.5.30729.4926)
Win7 / 2008R2 .Net 3.51
private static Pair<AssemblyName, string> GetAssemblyInfoInternal(Assembly assembly)
{
AssemblyName first = new AssemblyName(assembly.FullName);
return new Pair<AssemblyName, string>(first, Convert.ToBase64String(new Hash(assembly).SHA1));
}
显然,从时间日期戳到哈希的更改打破了FIPS合规性。我们已经与微软开了一个支持案例。
答案 1 :(得分:1)
Microsoft已发布一个修补程序来解决此问题:KB981119。我不认为此修补程序是通过Microsoft网站公开提供的。