Azure and FIPs compliance
I like using the best encryption quality that is readily available, it gives me a warm glow. As stated in the previous post, you can force Windows to require the use of only FIPs compliant encryption libraries. I have been using this registry switch on my local box to ensure that the application I am developing ticks the correct boxes so imagine my surprise when deploying to Windows Azure and receiving the following error:
Well not really complete surprise, since the FIPs switch prohibits the use of the "...Managed" libraries in .Net, whereas we should be using the "...CryptoServiceProvider" libraries instead. Of course, I have no control over the Azure deployment but I don't really understand why MS would use the non-FIPs library when there is a FIPs compliant one available. Perhaps the FIPs variants do something nasty with unmanaged libraries... Anyway, solution was to disabled the FIPs checking in the registry and try again!
Error 104 The "CSPack" task failed unexpectedly.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed..ctor()
at Microsoft.ServiceHosting.Tools.Packaging.PackageManifest..ctor(IPackageSecurity rsa, EncryptionType encryptionType)
at Microsoft.ServiceHosting.Tools.Packaging.PackageCreator..ctor(String serviceModelFile, String serviceDescription, IPackageSecurity encrypt, Dictionary`2 namedPackageCollection, String versionInfo)
at Microsoft.ServiceHosting.Tools.Packaging.ServiceApplicationPackage.CreateServiceApplicationPackage(String serviceModelFileName, String serviceDescriptionFile, Stream output, IPackageSecurity encrypt, Dictionary`2 namedStreamCollection, String userInfo, EventHandler`1 rolePackagePartAddedHandler)
at Microsoft.ServiceHosting.Tools.MSBuildTasks.CSPack.TryCreatePackage(ServiceDefinitionModel sm)
at Microsoft.ServiceHosting.Tools.MSBuildTasks.CSPack.Execute()
at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute()
at Microsoft.Build.BackEnd.TaskBuilder.<ExecuteInstantiatedTask>d__20.MoveNext() C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Windows Azure Tools\1.8\Microsoft.WindowsAzure.targets 2873 5 CloudApp
Well not really complete surprise, since the FIPs switch prohibits the use of the "...Managed" libraries in .Net, whereas we should be using the "...CryptoServiceProvider" libraries instead. Of course, I have no control over the Azure deployment but I don't really understand why MS would use the non-FIPs library when there is a FIPs compliant one available. Perhaps the FIPs variants do something nasty with unmanaged libraries... Anyway, solution was to disabled the FIPs checking in the registry and try again!