Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> .NET Development >> Common Language Runtime

ClickOnce not FIPS compliant?

I work at a military installation where we have a number of in-house programs that we were migrating to .NET 2.0. After converting about 3 projects over .NET 2.0 and testing the ClickOnce deployment, upgrades done to the domain security policy caused ClickOnce to break. The securtiy policy enabled the "Use on FIPS compliant algorithms for hashing/encryption" setting. So now, every time a ClickOnce installtion attempts to take place, we get an error similar to this one: (note - this is not MY error message...but it is very similar. This person had the same error a year ago...and didn't post any resolution. This is the only incident of my problem that I've been able to find...and no clear resolution has been made available - or even how to make ClickOnce/IsolatedStorage FIPS compliant. This is definitely a ClickOnce error...not an application error. The same application can be installed without ClickOnce...and work fine. We absolutely need/would prefer to use ClickOnce because multiple users use multiple machines; not everyone needs every program; and for other scalability reasons like easy to upgrade and enfore latest versions of apps...etc.)

PLATFORM VERSION INFO
Windows : 5.1.2600.131072 (Win32NT)
Common Language Runtime : 2.0.50727.42
System.Deployment.dll : 2.0.50727.42 (RTM.050727-4200)
mscorwks.dll : 2.0.50727.42 (RTM.050727-4200)
dfdll.dll : 2.0.50727.42 (RTM.050727-4200)
dfshim.dll : 2.0.50727.42 (RTM.050727-4200)

SOURCES
Deployment url :http://www.ookii.org/c9/avatar/download/C9Avatar.application
Server : Microsoft-IIS/6.0
X-Powered-By : ASP.NET
Deployment Provider url :http://www.ookii.org/c9/avatar/download/C9Avatar.application
Application url :http://www.ookii.org/c9/avatar/download/C9Avatar_2_0_0_0/C9Avatar.exe.manifest
Server : Microsoft-IIS/6.0
X-Powered-By : ASP.NET

IDENTITIES
Deployment Identity : C9Avatar.application, Version=2.0.0.0, Culture=neutral, PublicKeyToken=dae8bafd9b871d11, processorArchitecture=msil

APPLICATION SUMMARY
* Installable application.

ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation ofhttp://www.ookii.org/c9/avatar/download/C9Avatar.application resulted in exception. Following failure messages were detected:
+ This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.

WARNINGS
There were no warnings during this operation.

OPERATION PROGRESS STATUS
* [23/11/2005 8:36:18 PM] : Activation ofhttp://www.ookii.org/c9/avatar/download/C9Avatar.application has started.
* [23/11/2005 8:36:26 PM] : Processing of deployment manifest has successfully completed.
* [23/11/2005 8:36:26 PM] : Installation of the application has started.

ERROR DETAILS
Following errors were detected during this operation.
* [23/11/2005 8:36:28 PM] System.InvalidOperationException
- This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
- Source: mscorlib
- Stack trace:
at System.Security.Cryptography.SHA1Managed..ctor()
at System.Deployment.Application.ComponentVerifier.GetHashAlgorithm(CMS_HASH_DIGESTMETHOD digestMethod)
at System.Deployment.Application.ComponentVerifier.GenerateDigestValue(String filePath, CMS_HASH_DIGESTMETHOD digestMethod, CMS_HASH_TRANSFORM transform)
at System.Deployment.Application.ComponentVerifier.VerifyFileHash(String filePath, Hash hash)
at System.Deployment.Application.ComponentVerifier.VerifyFileHash(String filePath, HashCollection hashCollection)
at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState subState, ActivationDescription actDesc)
at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut)
at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)

COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.

[5290 byte] By [Retrotom] at [2007-12-26]
«« Application Deactivation : Doubt on iHD Sim Behaviour
»» Text Box.. Dumb Question
# 1

Wow, I wasn't expecting this from ClickOnce, but I can see what's happening here.

In the manifest, each file is hashed and signed. ClickOnce uses SHA1Managed (a .NET cryptographic component) to hash and verify these entries. It seems as if none of the .NET managed hash algorithms are FIPS certified. The component itself will throw this expection (or the runtime actually) if you try to create an instance of these components. Unfortunately, the SHA algorithms are certified, but not the .NET managed implementation of the algorithms. The only FIPS certified CSPs (cryptographic service providers) seem to be the unmanaged ones shipped with the operating systems.

Hm, this looks like a problem you can't really get around, as it's code inside the ClickOnce infrastructure itself. I'll see if I can get more info out of MS on this one. I might have some sources that will shed more light on it.

RobTeixeira at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 2
Thanks...I really appreciate it. I knew that it was the Managed SHA1 throwing the error...so I was trying to see if there was a way to force ClickOnce to use the CryptoAPI SHA1 wrapper...but I can't find anything about it anywhere. And the only way to "manually" generate a ClickOnce manifest still has no options to change the hashing algorithm. I'm at a complete loss here...unfortunately.
Retrotom at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 3

After digging around today...I do see something that is a little intriguing(though I haven't even tried to test it)...but throws all the scalability gained from using ClickOnce...right out of the window. It's the InPlaceHostingManager class found under the System.Deployment.Application namespace. It can install ClickOnce applications and is what ClickOnce seems to be based off of. The only things that trouble me are

a) You have to follow the three steps/functions exactly in order or it will throw an exception. So there's probably no skipping or emulating the manifest download portion of installation.

b) The handling of the manifest seems automated...so the very same error probably can/will be thrown. You can only hope to catch it and...bypass it somehow.

c) It doesn't automatically start the progam the way ClickOnce does. But you can always do a "Process.Start" out of whatever "ClickOnce loader" application you build.

d) Even though it's not that "big" of a deal...you probably have to install the loader app with SMS...or LanDesk...or something like that.

I'll try testing this thing out either later on today...or sometime later tomorrow. But what I don't understand is how ClickOnce couldn't have been made FIPS compatible/certified. The option for FIPS hashing/encrypting has been in Windows since Windows 2000 and to me...ClickOnce would have been a first choice in a government installation...becuase it's so scalable and easy to install. I hope I'm just missing something...

Retrotom at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 4
Well...i assume everyone is just as stumped as me...eh?
Retrotom at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 5

yep, sure are. We are only attempting to build a small app on a FIPS enabled system and cannot even perform a publish due to this error. The only way we can get around it is to Security tab in the solutions property page and turn off the ClickOnce ***. Then we have to deploy manually. Luckily, they are self contained... But it would be nice to use an installer...

Thanks, MS. Once again, you've outdone yourself...

buj at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 6

I've been talking with some MS people on this and you can see their official answer on my blog here: http://devauthority.com/blogs/devprime/archive/2006/08/28/2491.aspx

Note that you can probably bump up the priority for the fix by logging an official bug and voting for it.

RobTeixeira at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 7

Thanks, Rob. I've entered a bug for this problem on the MS Connect site:

https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=205869

Folks can now login (or register and login) and vote for this bug to be fixed.

buj at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 8
This problem is not just isolated to ClickOnce. I have this problem with my Setup projects that are configured to create a bootstrapper to install prerequisites (the 2.0 framework in my cases). The creation of the bootstrapper bombs with "An error occurred generating a bootstrapper: This implementation is not a part of the Windows Platform FIPS validated cryptographic solution."

Very frustrating.

RobbKidd at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 9
Have you gotten anywhere with this? I am in a similar situation trying to build asp.net 2.0 apps. The FIPS requirement basically won't allow the app to compile.

aaron

JTFGTMO at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 10

Nothing yet. As I stated in my blog, the earliest you can expect a fix is in the Visual Studio "Orcas" release (next release of VS). There seem to be 2 possible fixes at the moment:

1) change the algorithms used by ClickOnce to ones that are FIPS compliant
2) make the .NET algorithms FIPS certified

Option 1 will probably be easier, but won't help the ASP scenario. I have no idea what MS is officially doing in response to the problem right now. We'll know more in a few months.

-Rob

RobTeixeira at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
# 11

Have you found away round this... I'm getting the same problem.

Regards

np

Ninja_Programmer at 2007-9-4 > top of Msdn Tech,.NET Development,Common Language Runtime...
.NET Development
Common Language Runtime

.NET Development Hot Topic

.NET Development New Topic

.NET Development

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified