For the last few months I’ve been working on integrating IdentityServer3 into my company’s products.
If like me you have customers who require their servers to have FIPS compliance enabled, then you may have encountered the following issue whilst running IdentityServer3:
With the exception call stack looking something along the lines of:
This issue is already referenced on the IdentityServer3 Github issue tracker and is caused by it using HashAlgorithm.Create(“SHA256”) and SHA256.Create() in various places throughout the code (or the SHA512 versions). These calls result in the use of the SHA256Managed implementation, which is not FIPS compliant.
So the way to get IdentityServer3 working with FIPS compliance, which has been referenced on the Github issue, is to follow the instructions in this article in order to “re-map” the cryptographic algorithms to suit your needs.
Essentially, this involves adding the following to your machine.config:
<mscorlib> <cryptographySettings> <cryptoNameMapping> <cryptoClasses> <cryptoClass SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> <cryptoClass SHA512CSP="System.Security.Cryptography.SHA512CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /> </cryptoClasses> <!-- name mappings --> <nameEntry name="SHA256" class="SHA256CSP" /> <nameEntry name="SHA256CryptoServiceProvider" class="SHA256CSP" /> <nameEntry name="System.Security.Cryptography.SHA256CryptoServiceProvider" class="SHA256CSP" /> <nameEntry name="System.Security.Cryptography.SHA256" class="SHA256CSP"/> <nameEntry name="SHA512" class="SHA512CSP" /> <nameEntry name="SHA512CryptoServiceProvider" class="SHA512CSP" /> <nameEntry name="System.Security.Cryptography.SHA512CryptoServiceProvider" class="SHA512CSP" /> <nameEntry name="System.Security.Cryptography.SHA512" class="SHA512CSP"/> </cryptoNameMapping> </cryptographySettings> </mscorlib>
The two crucial name mappings as far as IdentityServer3 is concerned, are
<nameEntry name="System.Security.Cryptography.SHA256" class="SHA256CSP"/>
and
<nameEntry name="System.Security.Cryptography.SHA512" class="SHA512CSP"/>
as these allow the default implementations (i.e. when SHA256.Create() or SHA512.Create() are called with no name passed in as an argument) to be re-mapped.
However, I would expect that some of my customers will be reluctant to change the machine.config file on their servers, so fortunately these mappings can also be applied programmatically. For example, somewhere within your host startup code, add the following block of code:
if (CryptoConfig.AllowOnlyFipsAlgorithms) { CryptoConfig.AddAlgorithm( typeof(SHA256CryptoServiceProvider), "SHA256", "SHA256CryptoServiceProvider", "System.Security.Cryptography.SHA256CryptoServiceProvider", "System.Security.Cryptography.SHA256"); CryptoConfig.AddAlgorithm( typeof(SHA512CryptoServiceProvider), "SHA512", "SHA512CryptoServiceProvider", "System.Security.Cryptography.SHA512CryptoServiceProvider", "System.Security.Cryptography.SHA512"); }
This will only run if the runtime detects that FIPS compliance is enabled and will then add the appropriate mappings for both SHA256 and SHA512 hash algorithms.
Hopefully this proves useful to anyone who has had issues getting IdentityServer3 up and running under FIPS compliance conditions.