Skip to content

Latest DT.AzureStorage versions are not FIPS compliant #637

New issue
New issue
Closed
#640
Closed
Latest DT.AzureStorage versions are not FIPS compliant#637
#640
Assignees
amdeel
Labels
dt.azurestorageDurableTask.AzureStorage
@cgillum

Description

@cgillum
cgillum
opened on Nov 9, 2021

This code in DurableTask.AzureStorage uses MD5 APIs to generate a hash. However, the use of MD5 APIs violates FIPS compliance rules and prevents certain users from being able to use the framework.

Description: The application requested process termination through System.Environment.FailFast(string message).
Message: RunAsync failed due to an unhandled exception causing the host process to crash: Autofac.Core.DependencyResolutionException: An exception was thrown while executing a resolve operation. See the InnerException for details. ---> Exception has been thrown by the target of an invocation. (See inner exception for details.) ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.MD5.Create()
   at DurableTask.AzureStorage.Partitioning.AppLeaseManager..ctor(AzureStorageClient azureStorageClient, IPartitionManager partitionManager, String appLeaseContainerName, String appLeaseInfoBlobName, AppLeaseOptions options) in /_/src/DurableTask.AzureStorage/Partitioning/AppLeaseManager.cs:line 72
   at DurableTask.AzureStorage.AzureStorageOrchestrationService..ctor(AzureStorageOrchestrationServiceSettings settings, IOrchestrationServiceInstanceStore customInstanceStore) in /_/src/DurableTask.AzureStorage/AzureStorageOrchestrationService.cs:line 176

We'll need to look into using some other API to generate this hash.

It's been suggested that we can test this by changing the following registry key and a Windows OS to reproduce the failure:

Setting following in windows registry before running your test should be enough, I guess.
HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled and set Enabled to 1

This might require a reboot, but not sure.

FYI @amdeel

Metadata

Metadata

Assignees

Labels

dt.azurestorageDurableTask.AzureStorage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions