locked
ClickOnce not FIPS compliant? RRS feed

  • Question

  • I work at a military installation where we have a number of in-house programs that we were migrating to .NET 2.0. After converting about 3 projects over .NET 2.0 and testing the ClickOnce deployment, upgrades done to the domain security policy caused ClickOnce to break. The securtiy policy enabled the "Use on FIPS compliant algorithms for hashing/encryption" setting. So now, every time a ClickOnce installtion attempts to take place, we get an error similar to this one: (note - this is not MY error message...but it is very similar. This person had the same error a year ago...and didn't post any resolution. This is the only incident of my problem that I've been able to find...and no clear resolution has been made available - or even how to make ClickOnce/IsolatedStorage FIPS compliant. This is definitely a ClickOnce error...not an application error. The same application can be installed without ClickOnce...and work fine. We absolutely need/would prefer to use ClickOnce because multiple users use multiple machines; not everyone needs every program; and for other scalability reasons like easy to upgrade and enfore latest versions of apps...etc.)

    PLATFORM VERSION INFO
     Windows    : 5.1.2600.131072 (Win32NT)
     Common Language Runtime  : 2.0.50727.42
     System.Deployment.dll   : 2.0.50727.42 (RTM.050727-4200)
     mscorwks.dll    : 2.0.50727.42 (RTM.050727-4200)
     dfdll.dll    : 2.0.50727.42 (RTM.050727-4200)
     dfshim.dll    : 2.0.50727.42 (RTM.050727-4200)

    SOURCES
     Deployment url   : http://www.ookii.org/c9/avatar/download/C9Avatar.application
          Server  : Microsoft-IIS/6.0
          X-Powered-By : ASP.NET
     Deployment Provider url  : http://www.ookii.org/c9/avatar/download/C9Avatar.application
     Application url   : http://www.ookii.org/c9/avatar/download/C9Avatar_2_0_0_0/C9Avatar.exe.manifest
          Server  : Microsoft-IIS/6.0
          X-Powered-By : ASP.NET

    IDENTITIES
     Deployment Identity  : C9Avatar.application, Version=2.0.0.0, Culture=neutral, PublicKeyToken=dae8bafd9b871d11, processorArchitecture=msil

    APPLICATION SUMMARY
     * Installable application.

    ERROR SUMMARY
     Below is a summary of the errors, details of these errors are listed later in the log.
     * Activation of http://www.ookii.org/c9/avatar/download/C9Avatar.application resulted in exception. Following failure messages were detected:
      + This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    COMPONENT STORE TRANSACTION FAILURE SUMMARY
     No transaction error was detected.

    WARNINGS
     There were no warnings during this operation.

    OPERATION PROGRESS STATUS
     * [23/11/2005 8:36:18 PM] : Activation of http://www.ookii.org/c9/avatar/download/C9Avatar.application has started.
     * [23/11/2005 8:36:26 PM] : Processing of deployment manifest has successfully completed.
     * [23/11/2005 8:36:26 PM] : Installation of the application has started.

    ERROR DETAILS
     Following errors were detected during this operation.
     * [23/11/2005 8:36:28 PM] System.InvalidOperationException
      - This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
      - Source: mscorlib
      - Stack trace:
       at System.Security.Cryptography.SHA1Managed..ctor()
       at System.Deployment.Application.ComponentVerifier.GetHashAlgorithm(CMS_HASH_DIGESTMETHOD digestMethod)
       at System.Deployment.Application.ComponentVerifier.GenerateDigestValue(String filePath, CMS_HASH_DIGESTMETHOD digestMethod, CMS_HASH_TRANSFORM transform)
       at System.Deployment.Application.ComponentVerifier.VerifyFileHash(String filePath, Hash hash)
       at System.Deployment.Application.ComponentVerifier.VerifyFileHash(String filePath, HashCollection hashCollection)
       at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
       at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
       at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState subState, ActivationDescription actDesc)
       at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut)
       at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

    COMPONENT STORE TRANSACTION DETAILS
     No transaction information is available.

    Monday, July 24, 2006 2:11 PM

Answers

  • Wow, I wasn't expecting this from ClickOnce, but I can see what's happening here.

    In the manifest, each file is hashed and signed. ClickOnce uses SHA1Managed (a .NET cryptographic component) to hash and verify these entries. It seems as if none of the .NET managed hash algorithms are FIPS certified. The component itself will throw this expection (or the runtime actually) if you try to create an instance of these components. Unfortunately, the SHA algorithms are certified, but not the .NET managed implementation of the algorithms. The only FIPS certified CSPs (cryptographic service providers) seem to be the unmanaged ones shipped with the operating systems.

    Hm, this looks like a problem you can't really get around, as it's code inside the ClickOnce infrastructure itself. I'll see if I can get more info out of MS on this one. I might have some sources that will shed more light on it.

    Monday, July 24, 2006 11:55 PM

All replies

  • Wow, I wasn't expecting this from ClickOnce, but I can see what's happening here.

    In the manifest, each file is hashed and signed. ClickOnce uses SHA1Managed (a .NET cryptographic component) to hash and verify these entries. It seems as if none of the .NET managed hash algorithms are FIPS certified. The component itself will throw this expection (or the runtime actually) if you try to create an instance of these components. Unfortunately, the SHA algorithms are certified, but not the .NET managed implementation of the algorithms. The only FIPS certified CSPs (cryptographic service providers) seem to be the unmanaged ones shipped with the operating systems.

    Hm, this looks like a problem you can't really get around, as it's code inside the ClickOnce infrastructure itself. I'll see if I can get more info out of MS on this one. I might have some sources that will shed more light on it.

    Monday, July 24, 2006 11:55 PM
  • Thanks...I really appreciate it. I knew that it was the Managed SHA1 throwing the error...so I was trying to see if there was a way to force ClickOnce to use the CryptoAPI SHA1 wrapper...but I can't find anything about it anywhere. And the only way to "manually" generate a ClickOnce manifest still has no options to change the hashing algorithm. I'm at a complete loss here...unfortunately.
    • Proposed as answer by Ken S Wednesday, March 13, 2013 9:30 PM
    Tuesday, July 25, 2006 12:01 PM
  • After digging around today...I do see something that is a little intriguing(though I haven't even tried to test it)...but throws all the scalability gained from using ClickOnce...right out of the window. It's the InPlaceHostingManager class found under the System.Deployment.Application namespace. It can install ClickOnce applications and is what ClickOnce seems to be based off of. The only things that trouble me are

     

    a) You have to follow the three steps/functions exactly in order or it will throw an exception. So there's probably no skipping or emulating the manifest download portion of installation.

    b) The handling of the manifest seems automated...so the very same error probably can/will be thrown. You can only hope to catch it and...bypass it somehow.

    c) It doesn't automatically start the progam the way ClickOnce does. But you can always do a "Process.Start" out of whatever "ClickOnce loader" application you build.

    d) Even though it's not that "big" of a deal...you probably have to install the loader app with SMS...or LanDesk...or something like that.

     

    I'll try testing this thing out either later on today...or sometime later tomorrow. But what I don't understand is how ClickOnce couldn't have been made FIPS compatible/certified. The option for FIPS hashing/encrypting has been in Windows since Windows 2000 and to me...ClickOnce would have been a first choice in a government installation...becuase it's so scalable and easy to install. I hope I'm just missing something...

    Tuesday, July 25, 2006 4:36 PM
  • Well...i assume everyone is just as stumped as me...eh?
    Tuesday, August 1, 2006 4:04 PM
  • yep, sure are. We are only attempting to build a small app on a FIPS enabled system and cannot even perform a publish due to this error. The only way we can get around it is to Security tab in the solutions property page and turn off the ClickOnce ***. Then we have to deploy manually. Luckily, they are self contained...  But it would be nice to use an installer...

    Thanks, MS. Once again, you've outdone yourself...

    Thursday, September 14, 2006 11:32 PM
  • I've been talking with some MS people on this and you can see their official answer on my blog here: http://devauthority.com/blogs/devprime/archive/2006/08/28/2491.aspx

    Note that you can probably bump up the priority for the fix by logging an official bug and voting for it.

    Sunday, September 17, 2006 3:21 AM
  • Thanks, Rob. I've entered a bug for this problem on the MS Connect site:

    https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=205869

    Folks can now login (or register and login) and vote for this bug to be fixed.

     

    Wednesday, September 20, 2006 2:01 PM
  • This problem is not just isolated to ClickOnce.  I have this problem with my Setup projects that are configured to create a bootstrapper to install prerequisites (the 2.0 framework in my cases).  The creation of the bootstrapper bombs with "An error occurred generating a bootstrapper: This implementation is not a part of the Windows Platform FIPS validated cryptographic solution."

    Very frustrating.
    Tuesday, November 7, 2006 6:31 PM
  • Have you gotten anywhere with this? I am in a similar situation trying to build asp.net 2.0 apps. The FIPS requirement basically won't allow the app to compile.

    aaron

    Thursday, February 22, 2007 7:29 PM
  • Nothing yet. As I stated in my blog, the earliest you can expect a fix is in the Visual Studio "Orcas" release (next release of VS). There seem to be 2 possible fixes at the moment:

    1) change the algorithms used by ClickOnce to ones that are FIPS compliant
    2) make the .NET algorithms FIPS certified

    Option 1 will probably be easier, but won't help the ASP scenario. I have no idea what MS is officially doing in response to the problem right now. We'll know more in a few months.

    -Rob

    Thursday, February 22, 2007 10:12 PM
  • Have you found away round this... I'm getting the same problem.

     

    Regards

    np

    Tuesday, May 22, 2007 10:05 AM