1

I have a large C# .NET project which I must turn into FIPS compliant, so I need to find and change every piece of code that calls any non-compliant API.

If I enable FipsAlgorithmPolicy in the registry I start getting runtime exceptions like "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." which is fine but validating the entire code base by testing is both time-consuming and unreliable.

Is there a way to make Visual Studio 2017/2019 issue an error or warning at compile time for each non-complaint API call?

Anthony Mastrean
  • 21,850
  • 21
  • 110
  • 188
Ra.
  • 2,499
  • 3
  • 28
  • 41

1 Answers1

2

The Roslyn Security Code Scan analyzers have rules for all weak crypto and random classes. That should help you on your way :). The Microsoft Code Analysis package has support for these types of checks as well.

You can edit your ruleset files to raise these rules to an error if you want to.

enter image description here

Or you can add them as NuGet package references to have them trigger even on the build servers.

  <ItemGroup>
    <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="2.9.8"/>
    <PackageReference Include="SecurityCodeScan" Version="3.5.0"/>
  </ItemGroup>

Just remember that if the hash algorithm is used in different ways (like a commit hash in git), it may not be FIPS compliant for data storage, encryption and verification, but it's still valid code.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
  • FIPS is not about preventing the use of weak cryptography. It requires you to use an approved list of approved algorithms which may already be broken. That's why FIPS is not recommended anymore – phuclv Mar 12 '20 at 15:58
  • Sure, back then the list excluded the then old stuff. The letter if the law vs the intent, FIPS compliance tried to exclude back then weak stuff. – jessehouwing Mar 14 '20 at 21:27