Security question. Is Roslyn FIPS 140-2 compliant? #69460
-
Dear community, I would like to ask if Roslyn.Net version 3.0.0-beta4; 2.1.1-rtm-30846 is FIPS 140-2 compliant. Thank you. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
FIPS compliance has a couple of components:
In terms of algorithms Roslyn is capable of using SHA-1 and SHA-256 depending on the options and scenarios provided. By default SHA-256 is used for invocations that go through In terms of does the runtime use certified crypto libraries when available. The most common runtimes that execute the compiler are .NET Framework and .NET Core. The FIPS guidance / information for those can be found here. In terms of are the crypto libraries themselves certified, that is most typically a property of the operating system. You'll likely need to refer to the operating system to see if it supports FIPS and what steps need to be taken to enable it. |
Beta Was this translation helpful? Give feedback.
FIPS compliance has a couple of components:
In terms of algorithms Roslyn is capable of using SHA-1 and SHA-256 depending on the options and scenarios provided. By default SHA-256 is used for invocations that go through
dotnet build
andmsbuild
for hashing purposes. That can be configured to use SHA-1 for legacy compat reasons. When strong name signing is performed then SHA-1 will be used as that is required by the underlying ECMA standard.In terms of does the runtime use certified crypto libraries when available. The most common runtimes that e…