如果在 Windows 中启用“使用符合 FIPS 标准的算法进行加密、哈希和签名”安全策略选项,则尝试使用 .NET Framework 中的许多加密类将导致 InvalidOperationException。默认情况下,ASP.NET 使用 AES 加密 ViewState blob,因此会失败。您可以通过向 web.config 添加如下所示的密钥来解决此问题:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
这涵盖了基本的 ASP.NET 使用。我的问题是这样的:我有一个大型、复杂的 ASP.NET Web 应用程序,它大量使用 ScriptManager(ASP.NET AJAX 的基础),并且需要由必须启用此 FIPS 策略设置的政府客户进行部署。任何带有 ScriptManager 的 ASP.NET 页面都会引发此异常:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA1Managed..ctor() +3607454
System.Security.Policy.Hash.get_SHA1() +45
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
System.Web.UI.ScriptManager.RegisterScripts() +407
System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
即使将
有没有办法配置 ASP.NET,以便 ScriptManager 可以与 Windows FIPS 安全策略一起使用?
If you enable the "Use FIPS compliant algorithms for encryption, hashing, and signing" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework will result in an InvalidOperationException. By default, ASP.NET uses AES to encrypt the ViewState blob, so it fails. You can work around this by adding a key like this to web.config:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
And that covers you for basic ASP.NET use. My problem is this: I have a large, complex ASP.NET web applications that makes heavy use of ScriptManagers (the foundation of ASP.NET AJAX) and needs to be deployed by a government customer who must enable this FIPS policy setting. Any ASP.NET page with a ScriptManager on it throws this exception:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA1Managed..ctor() +3607454
System.Security.Policy.Hash.get_SHA1() +45
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85
System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99
System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910
System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193
System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306
System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169
System.Web.UI.ScriptManager.RegisterScripts() +407
System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200
System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
Even adding the <enforceFIPSPolicy enabled="false"/> element to web.config does not resolve the exception.
Is there any way to configure ASP.NET such that ScriptManager can be used with the Windows FIPS security policy?
发布评论
评论(2)
来自 Microsoft 的更新:可在 http://code.msdn.microsoft.com 获取此修补程序/KB981119
答案是您无法将 ScriptManager 与启用 FIPS 的服务器一起使用。 :(
System.Web.Handlers.ScriptResourceHandler 类的静态方法 GetAssemblyInfo 创建不符合 FIPS 的哈希对象。这在 .Net 3.5 SP1 和 .Net 3.51 之间进行了更改
(System.Web.Extensions 版本 3.5.30729.196)
XP/2003/2008 .Net 3.5 SP1
(System.Web.Extensions 版本 3.5.30729.4926)
Win7/2008R2 .Net 3.51
显然,从时间戳到哈希值的更改破坏了 FIPS 合规性。我们已向 Microsoft 提出支持案例。
Update from Microsoft: The hot fix is available at http://code.msdn.microsoft.com/KB981119
The answer is that you can't use ScriptManager with a FIPS enabled server. :(
The static method GetAssemblyInfo of class System.Web.Handlers.ScriptResourceHandler creates a hash object that is not FIPS compliant. This was changed between .Net 3.5 SP1 and .Net 3.51
(System.Web.Extensions version 3.5.30729.196)
XP/2003/2008 .Net 3.5 SP1
(System.Web.Extensions version 3.5.30729.4926)
Win7/2008R2 .Net 3.51
Obviously the change from the time date stamp to the hash broke the FIPS compliance. We have opened a support case with Microsoft.
Microsoft 已发布修补程序来解决此问题:KB981119。我认为该修补程序不会通过 Microsoft 网站公开提供。
Microsoft has released a hotfix to address this problem: KB981119. I don't think the hotfix is publicly available through the Microsoft Web site.