July 2013 AJAX Toolkit & FIPS Compliance Error

Question

0.00/5 (No votes)

See more:

, +

I've recently come across an error and I can't find any solution on the interwebs. I am building a website for our company's IT Helpdesk. I have included the latest version of the Ajax Toolkit but once I got it on the server, any page that has an Ajax control on it errors out with this error:

Server Error in '/' Application.
--------------------------------------------------------------------------------

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.SHA256Managed..ctor() +4488270
AjaxControlToolkit.ToolkitScriptManagerHelper.Hashing(String content) +53
AjaxControlToolkit.ToolkitScriptManagerCombiner.GetCombinedScriptContentHash(HttpContextBase context, String[] bundles) +38
AjaxControlToolkit.ToolkitScriptManager.OnLoad(EventArgs e) +376
System.Web.UI.Control.LoadRecursive() +71
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3064

--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1008

------------
Have been doing some research and it seems that FIPS doesn't like any crypto that is managed. Any ideas? It's SHA256, this shouldn't be a problem with FIPS.

Posted 27-Sep-13 4:29am

Foothill

Add a Solution

2 solutions

Solution 2

The ACT uses a managed version of the SHA256 hash algorithm that is not FIPS-compliant.

To fix this, I downloaded the source code for the last December 2013 version of ACT (4.1.7.1213), and recompiled the toolkit with this code change in place. This code is in the ToolscriptManagerHelper.cs source file (which doesn't exist in the latest ACT version).

XML

<pre lang="vb">//Change this to support FIPS compliance:
//using (SHA256 hashAlgorithm = new SHA256Managed())
using (HashAlgorithm hashAlgorithm = new SHA256CryptoServiceProvider())</pre>

Someone else found this solution and submitted a change request, but I don't think it was ever merged with the main code.

Your other alternatives are to upgrade to a newer version of the ACT (although I'm not sure which versions are/aren't FIPS-compliant), or disable FIPS enforcement.

I'm thinking about hosting an updated version to save others the trouble, but don't have time to do it right now.

Posted 21-Apr-15 4:29am

Member 611794

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Foothill · Accepted Answer · 2013-10-16T06:58:00

Solution 1

The only way to eliminate this error was to rollback to the September 2009 release of ajax.

Posted 16-Oct-13 6:58am

Foothill