Running IdentityServer3 with FIPS Compliance

For the last few months I’ve been working on integratingĀ IdentityServer3 into my company’s products.

If like me you have customers who require their servers to have FIPS compliance enabled, then you may have encountered the following issue whilst running IdentityServer3:

FIPSErrorScreen

With the exception call stack looking something along the lines of:

FIPSErrorCallstack

This issue is already referenced on the IdentityServer3 Github issue tracker and is caused by it using HashAlgorithm.Create(“SHA256”) and SHA256.Create() in various places throughout the code (or the SHA512 versions). These calls result in the use of the SHA256Managed implementation, which is not FIPS compliant.

So the way to get IdentityServer3 working with FIPS compliance, which has been referenced on the Github issue, is to follow the instructions in this article in order to “re-map” the cryptographic algorithms to suit your needs.

Essentially, this involves adding the following to your machine.config:

	<mscorlib>
		<cryptographySettings>
			<cryptoNameMapping>   
				<cryptoClasses>
					<cryptoClass
						SHA256CSP="System.Security.Cryptography.SHA256CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
					<cryptoClass
						SHA512CSP="System.Security.Cryptography.SHA512CryptoServiceProvider, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />						
				</cryptoClasses>            
				<!-- name mappings -->			
				<nameEntry
					name="SHA256"
					class="SHA256CSP" />
				<nameEntry
					name="SHA256CryptoServiceProvider"
					class="SHA256CSP" />
				<nameEntry
					name="System.Security.Cryptography.SHA256CryptoServiceProvider"
					class="SHA256CSP" />	
				<nameEntry 
					name="System.Security.Cryptography.SHA256" 
					class="SHA256CSP"/>
				<nameEntry
					name="SHA512"
					class="SHA512CSP" />
				<nameEntry
					name="SHA512CryptoServiceProvider"
					class="SHA512CSP" />
				<nameEntry
					name="System.Security.Cryptography.SHA512CryptoServiceProvider"
					class="SHA512CSP" />	
				<nameEntry 
					name="System.Security.Cryptography.SHA512" 
					class="SHA512CSP"/>		
			</cryptoNameMapping>			
		</cryptographySettings>
	</mscorlib>		

The two crucial name mappings as far as IdentityServer3 is concerned, are

	<nameEntry 
		name="System.Security.Cryptography.SHA256" 
		class="SHA256CSP"/>

and

	<nameEntry 
		name="System.Security.Cryptography.SHA512" 
		class="SHA512CSP"/>

as these allow the default implementations (i.e. when SHA256.Create() or SHA512.Create() are called with no name passed in as an argument) to be re-mapped.

However, I would expect that some of my customers will be reluctant to change the machine.config file on their servers, so fortunately these mappings can also be applied programmatically. For example, somewhere within your host startup code, add the following block of code:

            if (CryptoConfig.AllowOnlyFipsAlgorithms)
            {
                CryptoConfig.AddAlgorithm(
                    typeof(SHA256CryptoServiceProvider),
                    "SHA256",
                    "SHA256CryptoServiceProvider",
                    "System.Security.Cryptography.SHA256CryptoServiceProvider",
                    "System.Security.Cryptography.SHA256");

                CryptoConfig.AddAlgorithm(
                    typeof(SHA512CryptoServiceProvider),
                    "SHA512",
                    "SHA512CryptoServiceProvider",
                    "System.Security.Cryptography.SHA512CryptoServiceProvider",
                    "System.Security.Cryptography.SHA512");
            }

This will only run if the runtime detects that FIPS compliance is enabled and will then add the appropriate mappings for both SHA256 and SHA512 hash algorithms.

Hopefully this proves useful to anyone who has had issues getting IdentityServer3 up and running under FIPS compliance conditions.

Advertisements