[Win10] This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

[ghost]

I received this error message after trying to run CKAN on windows 10 Pro x64. KSP (32 bit) itself works, I have .net 4.5 installed.

Below is the details in the debug window:

See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA1Managed..ctor()
   at CKAN.NetFileCache.CreateURLHash(Uri url)
   at CKAN.NetFileCache.GetCachedFilename(Uri url)
   at CKAN.NetFileCache.IsMaybeCachedZip(Uri url)
   at CKAN.GUIMod..ctor(CkanModule mod, IRegistryQuerier registry, KSPVersion current_ksp_version)
   at CKAN.Main.<_UpdateModsList>c__AnonStorey14.<>m__0(CkanModule m)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Collections.Generic.HashSet`1.UnionWith(IEnumerable`1 other)
   at System.Collections.Generic.HashSet`1..ctor(IEnumerable`1 collection, IEqualityComparer`1 comparer)
   at CKAN.Main._UpdateModsList(Boolean repo_updated)
   at CKAN.Util.Invoke[T](T obj, Action action)
   at CKAN.Main.CurrentInstanceUpdated()
   at CKAN.Main.OnLoad(EventArgs e)
   at System.Windows.Forms.Form.OnCreateControl()
   at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
   at System.Windows.Forms.Control.CreateControl()
   at System.Windows.Forms.Control.WmShowWindow(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.Form.WmShowWindow(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.106.0 built by: NETFXREL2STAGE
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
ckan
    Assembly Version: 0.0.0.0
    Win32 Version: 0.0.0.0
    CodeBase: file:///E:/SteamLibrary/SteamApps/Common/Kerbal%20Space%20Program/ckan.exe
----------------------------------------
System.Configuration
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Core
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.93.0 built by: NETFXREL2STAGE
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
Microsoft.GeneratedCode
    Assembly Version: 1.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Microsoft.CSharp
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Microsoft.CSharp/v4.0_4.0.0.0__b03f5f7f11d50a3a/Microsoft.CSharp.dll
----------------------------------------
System.Numerics
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Numerics/v4.0_4.0.0.0__b77a5c561934e089/System.Numerics.dll
----------------------------------------
System.Dynamic
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Dynamic/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Dynamic.dll
----------------------------------------
Anonymously Hosted DynamicMethods Assembly
    Assembly Version: 0.0.0.0
    Win32 Version: 4.6.106.0 built by: NETFXREL2STAGE
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_64/mscorlib/v4.0_4.0.0.0__b77a5c561934e089/mscorlib.dll
----------------------------------------
System.Transactions
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_64/System.Transactions/v4.0_4.0.0.0__b77a5c561934e089/System.Transactions.dll
----------------------------------------
System.Runtime.Serialization
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Serialization/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Serialization.dll
----------------------------------------
System.Xml.Linq
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml.Linq/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.Linq.dll
----------------------------------------
System.Data
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_64/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll
----------------------------------------
System.EnterpriseServices
    Assembly Version: 4.0.0.0
    Win32 Version: 4.6.79.0 built by: NETFXREL2
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_64/System.EnterpriseServices/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

[ghost]

I think I figured out my issue. The issue is that I'm running the computer in a domain. A bit more specific, I have HKLM\SYSTEM\CurrentControlSet\Control\LSA\FipsAlgorithmPolicy\Enabled set to 1.

The workaround is to set that key to 0. However, in my case (and anyone running on a domain), this is controlled by GPO and will be ineffective (next time gpupdate runs, it would set the key back to 1).

According to Microsoft, the fix is to add in the runtime section of Visual Studio(if you're using VS) ckan config file. The below link has a bit more detail:

http://blogs.msdn.com/b/brijs/archive/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010.aspx

[pjf]

Thanks for the report! Our build system isn't using VS (it's using mono), but if we can set something to opt our application out of FIPS enforcement that would be great! We're using SHA1 as a quick way to check if we've cached a file, not for Serious Crypto.

Marking this as a bug that we'll need to address. (Although writing a test for our test suite may be a little challenging!)

[ayan4m1]

Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled.

The change they are talking about isn't actually VS-specific, it just happens to fix debugging issues in VS which is why the article linked was written... https://msdn.microsoft.com/en-us/library/hh202806(v=vs.110).aspx

They're just talking about your GUI/app.config file.

[ayan4m1]

ok, so I can repro this by using the group policy editor to enable this security option: GPO docs

I am on Windows 10 x64.

Exception

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA1Managed..ctor()
   at CKAN.NetFileCache.CreateURLHash(Uri url)
   at CKAN.NetFileCache.GetCachedFilename(Uri url)
   at CKAN.NetFileCache.IsMaybeCachedZip(Uri url)
   at CKAN.GUIMod..ctor(CkanModule mod, IRegistryQuerier registry, KspVersion current_ksp_version)
   at CKAN.Main.<_UpdateModsList>c__AnonStorey14.<>m__0(CkanModule m)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Collections.Generic.HashSet`1.UnionWith(IEnumerable`1 other)
   at System.Collections.Generic.HashSet`1..ctor(IEnumerable`1 collection, IEqualityComparer`1 comparer)
   at CKAN.Main._UpdateModsList(Boolean repo_updated)
   at CKAN.Util.Invoke[T](T obj, Action action)
   at CKAN.Main.CurrentInstanceUpdated()
   at CKAN.Main.OnLoad(EventArgs e)
   at System.Windows.Forms.Form.OnCreateControl()

the PR fixes that unhandled exception but causes a new one later on because we are using a SHA1Managed instance which is inherently non-FIPS compliant. I have an updated branch of the PR where SHA1Cng resolves the issue. SHA1Managed is also used in netkan/FileService.cs and I updated that as well.

SHA1Cng is based on native code, which would ordinarily be a problem for cross-platform support, but mono stubs out a SHA1Cng for us which is a wrapper around SHA1Managed. Even though that kinda violates the FIPS standard, there is no "Group Policy Object" to enable the FIPS mode in the first place, so I think this fix will work on all platforms, though of course it needs testing. The test is simple enough - do we get to the main dialog with no exception or error dialog? There is also a test for the SHA algorithm itself.