-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[tests] enable FIPS mode for Windows MSBuild tests #3728
Conversation
aff6f4e
to
65eade2
Compare
Failures we'll have to deal with to merge this:
Not sure what to do about this: https://github.com/mono/ikvm-fork/blob/f9c1e2fec05127bb840488482b6aff1a0a942f3c/reflect/AssemblyName.cs#L405 |
Context: dotnet/android#3728 (comment) On Windows 10 machines with the [Use FIPS compliant algorithms][0] group policy enabled, `mkbundle` fails with: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\mkbundle.exe --dos2unix=false --nomain --i18n none --bundled-header --mono-api-struct-path "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\\mkbundle-api.h" --style linux -c -o obj\Release\bundles\x86_64\temp.c -oo obj\Release\bundles\x86_64\assemblies.o -z obj\Release\android\assets\UnnamedProject.dll obj\Release\android\assets\shrunk\Java.Interop.dll obj\Release\android\assets\shrunk\Mono.Android.dll obj\Release\android\assets\shrunk\mscorlib.dll obj\Release\android\assets\shrunk\System.Core.dll obj\Release\android\assets\shrunk\System.dll obj\Release\android\assets\shrunk\System.Runtime.Serialization.dll (TaskId:215) Unhandled Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. (TaskId:215) at System.Security.Cryptography.SHA1Managed..ctor() (TaskId:215) at IKVM.Reflection.AssemblyName.ComputePublicKeyToken(Byte[] publicKey) (TaskId:215) at IKVM.Reflection.AssemblyName.get_FullName() (TaskId:215) at IKVM.Reflection.Universe.LoadAssembly(RawModule module) (TaskId:215) at IKVM.Reflection.Universe.LoadFile(String path) (TaskId:215) at MakeBundle.LoadAssemblyFile(String assembly) (TaskId:215) at MakeBundle.LoadAssemblies(List`1 sources) (TaskId:215) at MakeBundle.Main(String[] args) (TaskId:215) On a FIPS-enabled machine, these code examples: var sha1 = new SHA1Managed () var sha1 = SHA1.Create () Will throw: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. But this one works: var sha1 = new SHA1CryptoServiceProvider () Since the `PublicKeyToken` of a .NET assembly is a SHA1 value, there is not really another option--we have to make this change for `mkbundle.exe` to work. [0]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
👍 nice, looks like this is working as expected! |
Context: dotnet/android#3728 (comment) On Windows 10 machines with the [Use FIPS compliant algorithms][0] group policy enabled, `mkbundle` fails with: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\mkbundle.exe --dos2unix=false --nomain --i18n none --bundled-header --mono-api-struct-path "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\\mkbundle-api.h" --style linux -c -o obj\Release\bundles\x86_64\temp.c -oo obj\Release\bundles\x86_64\assemblies.o -z obj\Release\android\assets\UnnamedProject.dll obj\Release\android\assets\shrunk\Java.Interop.dll obj\Release\android\assets\shrunk\Mono.Android.dll obj\Release\android\assets\shrunk\mscorlib.dll obj\Release\android\assets\shrunk\System.Core.dll obj\Release\android\assets\shrunk\System.dll obj\Release\android\assets\shrunk\System.Runtime.Serialization.dll (TaskId:215) Unhandled Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. (TaskId:215) at System.Security.Cryptography.SHA1Managed..ctor() (TaskId:215) at IKVM.Reflection.AssemblyName.ComputePublicKeyToken(Byte[] publicKey) (TaskId:215) at IKVM.Reflection.AssemblyName.get_FullName() (TaskId:215) at IKVM.Reflection.Universe.LoadAssembly(RawModule module) (TaskId:215) at IKVM.Reflection.Universe.LoadFile(String path) (TaskId:215) at MakeBundle.LoadAssemblyFile(String assembly) (TaskId:215) at MakeBundle.LoadAssemblies(List`1 sources) (TaskId:215) at MakeBundle.Main(String[] args) (TaskId:215) On a FIPS-enabled machine, these code examples: var sha1 = new SHA1Managed(); Will throw: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. But these three options work: var sha1 = SHA1.Create(); var sha1 = new SHA1CryptoServiceProvider(); var sha1 = new SHA1Cng(); We should use `SHA1.Create()` which will use the appropriate implementation if FIPS is enabled or not. Since the `PublicKeyToken` of a .NET assembly is a SHA1 value, there is not really another option--we have to make this change for `mkbundle.exe` to work. [0]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
Context: dotnet/android#3728 (comment) On Windows 10 machines with the [Use FIPS compliant algorithms][0] group policy enabled, `mkbundle` fails with: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\mkbundle.exe --dos2unix=false --nomain --i18n none --bundled-header --mono-api-struct-path "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Xamarin\Android\\mkbundle-api.h" --style linux -c -o obj\Release\bundles\x86_64\temp.c -oo obj\Release\bundles\x86_64\assemblies.o -z obj\Release\android\assets\UnnamedProject.dll obj\Release\android\assets\shrunk\Java.Interop.dll obj\Release\android\assets\shrunk\Mono.Android.dll obj\Release\android\assets\shrunk\mscorlib.dll obj\Release\android\assets\shrunk\System.Core.dll obj\Release\android\assets\shrunk\System.dll obj\Release\android\assets\shrunk\System.Runtime.Serialization.dll (TaskId:215) Unhandled Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. (TaskId:215) at System.Security.Cryptography.SHA1Managed..ctor() (TaskId:215) at IKVM.Reflection.AssemblyName.ComputePublicKeyToken(Byte[] publicKey) (TaskId:215) at IKVM.Reflection.AssemblyName.get_FullName() (TaskId:215) at IKVM.Reflection.Universe.LoadAssembly(RawModule module) (TaskId:215) at IKVM.Reflection.Universe.LoadFile(String path) (TaskId:215) at MakeBundle.LoadAssemblyFile(String assembly) (TaskId:215) at MakeBundle.LoadAssemblies(List`1 sources) (TaskId:215) at MakeBundle.Main(String[] args) (TaskId:215) On a FIPS-enabled machine, these code examples: var sha1 = new SHA1Managed(); Will throw: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. But these three options work: var sha1 = SHA1.Create(); var sha1 = new SHA1CryptoServiceProvider(); var sha1 = new SHA1Cng(); We should use `SHA1.Create()` which will use the appropriate implementation if FIPS is enabled or not. Since the `PublicKeyToken` of a .NET assembly is a SHA1 value, there is not really another option--we have to make this change for `mkbundle.exe` to work. [0]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
65eade2
to
4e69b4e
Compare
/azp run |
Pull request contains merge conflicts. |
Fixes: dotnet#1580 If this works out, this would run our MSBuild test suite while the [Use FIPS compliant algorithms][0] group policy setting is enabled. This would validate that Xamarin.Android works as expected going forward. [0]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
This commit eventually replaced by: dotnet#3770
4e69b4e
to
2d48fec
Compare
The
|
This hasn't come up again, as we removed all MD5 and SHA1. Closing for now. |
I believe this is resolved on my side (from being a reporter), as our CI can build Xamarin now without the FIPS error |
Fixes: #1580
If this works out, this would run our MSBuild test suite while the
Use FIPS compliant algorithms group policy setting is enabled.
This would validate that Xamarin.Android works as expected going
forward.