Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA256 hashalgorithm used in creating nonce key is not FIPS compliant. #111

Open
hmalli opened this issue Sep 5, 2017 · 5 comments
Open

SHA256 hashalgorithm used in creating nonce key is not FIPS compliant. #111

hmalli opened this issue Sep 5, 2017 · 5 comments
Milestone
Backlog

Comments

@hmalli
Copy link

hmalli commented Sep 5, 2017

We have noticed that the GetNonceKey uses SHA256.Create() to generate hash algorithm which is not FIPS compliant and it is not designed to extend it easily to change the hash algorithm. Can you address this?
@Tratcher
Copy link
Member

Tratcher commented Sep 5, 2017

Note this has changed in the ASP.NET Core version:
https://github.com/aspnet/Security/blob/a53bf093a7d86b35e019c80515c92d7626982325/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L888

@hmalli
Copy link
Author

hmalli commented Sep 5, 2017

What about non asp.net core version?

@hmalli
Copy link
Author

hmalli commented Sep 11, 2017

Tratcher - Any plan to make the same fix in non asp.net core version?

@Tratcher
Copy link
Member

No decision has been made yet.

@muratg muratg added this to the Backlog milestone Oct 27, 2017
@muratg
Copy link

muratg commented Oct 27, 2017

Backlogging this. @blowdart , FYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@muratg @Tratcher @hmalli