Thursday, 13 December 2012

Azure and FIPs compliance

I like using the best encryption quality that is readily available, it gives me a warm glow. As stated in the previous post, you can force Windows to require the use of only FIPs compliant encryption libraries. I have been using this registry switch on my local box to ensure that the application I am developing ticks the correct boxes so imagine my surprise when deploying to Windows Azure and receiving the following error:

Error    104    The "CSPack" task failed unexpectedly.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA256Managed..ctor()
   at Microsoft.ServiceHosting.Tools.Packaging.PackageManifest..ctor(IPackageSecurity rsa, EncryptionType encryptionType)
   at Microsoft.ServiceHosting.Tools.Packaging.PackageCreator..ctor(String serviceModelFile, String serviceDescription, IPackageSecurity encrypt, Dictionary`2 namedPackageCollection, String versionInfo)
   at Microsoft.ServiceHosting.Tools.Packaging.ServiceApplicationPackage.CreateServiceApplicationPackage(String serviceModelFileName, String serviceDescriptionFile, Stream output, IPackageSecurity encrypt, Dictionary`2 namedStreamCollection, String userInfo, EventHandler`1 rolePackagePartAddedHandler)
   at Microsoft.ServiceHosting.Tools.MSBuildTasks.CSPack.TryCreatePackage(ServiceDefinitionModel sm)
   at Microsoft.ServiceHosting.Tools.MSBuildTasks.CSPack.Execute()
   at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute()
   at Microsoft.Build.BackEnd.TaskBuilder.<ExecuteInstantiatedTask>d__20.MoveNext()    C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Windows Azure Tools\1.8\Microsoft.WindowsAzure.targets    2873    5    CloudApp

Well not really complete surprise, since the FIPs switch prohibits the use of the "...Managed" libraries in .Net, whereas we should be using the "...CryptoServiceProvider" libraries instead. Of course, I have no control over the Azure deployment but I don't really understand why MS would use the non-FIPs library when there is a FIPs compliant one available. Perhaps the FIPs variants do something nasty with unmanaged libraries... Anyway, solution was to disabled the FIPs checking in the registry and try again!
Post a Comment