Changes so AltCover will run when FIPS compliance is required #214
Description
Short Version: Can Altcover use a FIPS compliant algorithm such as SHA384 instead of SHA-1?
Long Version
Altcover throws an exception if a machine is configured to be FIPS compliant. The US government requires compliance with FIPS-140-3 for many systems. A description of this is at:
and there are plenty of discussions regarding the usefulness of FIPS, though many refer to older versions of the specification.
Anyhow, we use AltCover on development VMs where we have FIPS compliance turned off but we need to run these tests on government machines where FIPS compliance is enabled.
You can enable/disable FIPS compliance on Windows via Group Policy or by setting the DWORD registry entry at:
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1 for enabled, and 0 for disabled
When FIPS compliance is on, running Altcover throws an exception while instrumenting the assemblies at:
Unhandled Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA1Managed..ctor()
at Mono.Cecil.CryptoService.HashStream(Stream stream, ImageWriter writer, Int32& strong_name_pointer)
at Mono.Cecil.CryptoService.StrongName(Stream stream, ImageWriter writer, WriterParameters parameters)
at Mono.Cecil.ModuleWriter.Write(ModuleDefinition module, Disposable1 stream, WriterParameters parameters) at Mono.Cecil.ModuleWriter.WriteModule(ModuleDefinition module, Disposable1 stream, WriterParameters parameters)
at Mono.Cecil.ModuleDefinition.Write(Stream stream, WriterParameters parameters)
at AltCover.Instrument.I.writeAssembly(AssemblyDefinition assembly, String path) in ///AltCover.Engine/Instrument.fs:line 512
at AltCover.Instrument.I.writeAssemblies(AssemblyDefinition definition, String file, IEnumerable1 targets, FSharpFunc2 sink) in ///AltCover.Engine/Instrument.fs:line 870
at AltCover.Instrument.I.visitAfterAssembly(InstrumentContext state, AssemblyEntry assembly) in ///AltCover.Engine/Instrument.fs:line 1132
at AltCover.Instrument.I.instrumentationVisitorWrapper(FSharpFunc2 core, InstrumentContext state, Node node) in /_//AltCover.Engine/Instrument.fs:line 1468 at AltCover.Main.I.visitors@755.Invoke(InstrumentContext state, Node node) at AltCover.Visitor.stateful@1652-1.Invoke(T node) in /_//AltCover.Engine/Visitor.fs:line 1654 at Microsoft.FSharp.Primitives.Basics.List.mapToFreshConsTail[a,b](FSharpList1 cons, FSharpFunc2 f, FSharpList1 x) in D:\a_work\1\s\src\FSharp.Core\local.fs:line 236
at Microsoft.FSharp.Primitives.Basics.List.map[T,TResult](FSharpFunc2 mapping, FSharpList1 x) in D:\a_work\1\s\src\FSharp.Core\local.fs:line 247
at Microsoft.FSharp.Collections.SeqModule.Fold[T,TState](FSharpFunc2 folder, TState state, IEnumerable1 source) in D:\a_work\1\s\src\FSharp.Core\seq.fs:line 913
at AltCover.Visitor.visit(IEnumerable1 visitors, IEnumerable1 assemblies) in ///AltCover.Engine/Visitor.fs:line 1639
at AltCover.Main.I.result@735.Invoke(Unit unitVar0) in ///AltCover.Engine/Main.fs:line 758
at AltCover.PathOperation.DoPathOperation[TAny](FSharpFunc2 operation, FSharpFunc2 handle) in ///AltCover.Engine/Output.fs:line 23
at AltCover.CommandLine.doPathOperation@433-1.Invoke(FSharpFunc`2 f, a defaultValue, Boolean store)
at AltCover.Main.I.doInstrumentation(String[] arguments) in /_//AltCover.Engine/Main.fs:line 730
I've looked at the code (first time I've read F# code outside of articles) and I can see where SHA-1 is being used. Could this be replaced with something that is compliant for signing such as SHA-384.
SHA-1 is compliant for some uses, but not for signing. From the document linked above:
"Whether a security function is approved may be context sensitive to the service in which it is included. For
example, at Overall Security Rating 1, the SHA-1 function is an approved algorithm if it is used for an
integrity check service, but it is not approved if it is used as part of a digital signature generation service.
Therefore, it is not required to provide the indicator at the API level of cryptographic functions, as long as the
service implementing the API provides the corresponding indicator that unambiguously indicates the approved
security services"
Thank,
Herb